android中的系统服务,如AMS,PMS和WMS与四大应用组件之一的service完全是两回事.系统中的这些服务一直运行在系统进程中,永远不会被杀死,他们不是继承于service,而是继承Stub类或者Binder类,Stub最终也继承于binder.这些服务在系统启动的时候调用servicemanager的addservice方法进行注册.
public class PackageManagerService extends IPackageManager.Stub
/** Local-side IPC implementation stub class. */
public static abstract class Stub extends android.os.Binder implements android.content.pm.IPackageManager
public final class ActivityManagerService extends ActivityManagerNative implements Watchdog.Monitor, BatteryStatsImpl.BatteryCallback
/** Local-side IPC implementation stub class. */
public abstract class ActivityManagerNative extends Binder implements IActivityManager
public class WindowManagerService extends IWindowManager.Stub implements Watchdog.Monitor, WindowManagerPolicy.WindowManagerFuncs
/** Local-side IPC implementation stub class. */
public static abstract class Stub extends android.os.Binder implements android.view.IWindowManager
下面分创建,注册和获取三个部分介绍.
1. 服务的创建
由于服务继承binder,所以在构造的时候先调用binder的构造函数:
public Binder() {
init();
if (FIND_POTENTIAL_LEAKS) {
final Class<? extends Binder> klass = getClass();
if ((klass.isAnonymousClass() || klass.isMemberClass() || klass.isLocalClass()) &&
(klass.getModifiers() & Modifier.STATIC) == 0) {
Log.w(TAG, "The following Binder class should be static or leaks might occur: " +
klass.getCanonicalName());
}
}
}
可以看出主要是执行init()方法.
该方法是jni方法,进入frameworks/base/core/jni/android_util_Binder.cpp@android_os_Binder_init(JNIEnv* env, jobject obj)
static void android_os_Binder_init(JNIEnv* env, jobject obj)
{
JavaBBinderHolder* jbh = new JavaBBinderHolder();
if (jbh == NULL) {
jniThrowException(env, "java/lang/OutOfMemoryError", NULL);
return;
}
ALOGV("Java Binder %p: acquiring first ref on holder %p", obj, jbh);
jbh->incStrong((void*)android_os_Binder_init);
env->SetLongField(obj, gBinderOffsets.mObject, (jlong)jbh);
}
其中传进来的obj就是java层的服务对象.
该方法做了三件事:
1. JavaBBinderHolder* jbh = new JavaBBinderHolder();
为java层的service在native层创建了JavaBBinderHolder对象jbh,并把java层服务对象作为参数传入.
2.jbh->incStrong((void*)android_os_Binder_init);
增加JavaBBinderHolder对象jhb的强引用计数,因为他被java层服务引用了.
3.env->SetLongField(obj, gBinderOffsets.mObject, (jlong)jbh);
将JavaBBinderHolder对象jhb的地址保存在java服务的父类mObject中,这样java服务就可以通过mObject访问native层的JavaBBinderHolder对象jhb.
下面详细分析JavaBBinderHolder
class JavaBBinderHolder : public RefBase
{
public:
sp<JavaBBinder> get(JNIEnv* env, jobject obj)
{
AutoMutex _l(mLock);
sp<JavaBBinder> b = mBinder.promote();
if (b == NULL) {
b = new JavaBBinder(env, obj); (1)
mBinder = b;
ALOGV("Creating JavaBinder %p (refs %p) for Object %p, weakCount=%" PRId32 "\n",
b.get(), b->getWeakRefs(), obj, b->getWeakRefs()->getWeakCount());
}
return b;
}
sp<JavaBBinder> getExisting()
{
AutoMutex _l(mLock);
return mBinder.promote();
}
private:
Mutex mLock;
wp<JavaBBinder> mBinder; (2)
};
(1)可以看出jbh通过get()方法创建了一个binder本地对象JavaBBinder对象b,并将java层服务对象obj传入b中,及b持有java层服务obj的引用.
(2)可看出jbh通过持有JavaBBinder对象b最终持有了Java层服务的引用obj,名称为mBinder,那是谁调用的(1)中的get()方法呢?.
继续分析:
sp<IBinder> ibinderForJavaObject(JNIEnv* env, jobject obj)
{
if (obj == NULL) return NULL;
if (env->IsInstanceOf(obj, gBinderOffsets.mClass)) {
JavaBBinderHolder* jbh = (JavaBBinderHolder*)
env->GetLongField(obj, gBinderOffsets.mObject);
return jbh != NULL ? jbh->get(env, obj) : NULL; (1)
}
if (env->IsInstanceOf(obj, gBinderProxyOffsets.mClass)) {
return (IBinder*)
env->GetLongField(obj, gBinderProxyOffsets.mObject);
}
ALOGW("ibinderForJavaObject: %p is not a Binder object", obj);
return NULL;
}
该函数(1)处调用了get()方法,从该函数名可以看出是获取java object的binder对象.继续查找调用该函数的地方
frameworks/base/core/jni/android_os_Parcel.cpp
static void android_os_Parcel_writeStrongBinder(JNIEnv* env, jclass clazz, jlong nativePtr, jobject object)
{
Parcel* parcel = reinterpret_cast<Parcel*>(nativePtr);
if (parcel != NULL) {
const status_t err = parcel->writeStrongBinder(ibinderForJavaObject(env, object)); (1)
if (err != NO_ERROR) {
signalExceptionForError(env, clazz, err);
}
}
}
(1)处调用了ibinderForJavaObject(JNIEnv* env, jobject obj)方法,到此基本明确了.
android_os_Parcel_writeStrongBinder是一个jni方法,该方法是所有Java服务类在注册的时候,将其对应的binder本地对象数据写到Parcel中调用的.也就是说在注册服务的时候会创建服务的binder本地对象JavaBBinder.
总结: 服务的创建过程实际上就是为服务创建了一个JavaBBinderHolder这么一个对象,这个对象在服务注册的时候为服务创建binder本地对象JavaBBinder, 并与Java服务相互引用.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2. 服务的注册(以ActivityManagerService简称AMS为例)
AMS是在systemservice启动的过程中注册到service manager的,前面的调用过程为:
1. frameworks/base/services/java/com/android/server/SystemServer.java : run()
frameworks/base/services/java/com/android/server/SystemServer.java : startBootstrapServices()
frameworks/base/services/java/com/android/server/am/ActivityManagerService.java : setSystemProcess()
2. frameworks/base/core/java/android/os/ServiceManager.java
public static void addService(String name, IBinder service, boolean allowIsolated) {
try {
getIServiceManager().addService(name, service, allowIsolated);
} catch (RemoteException e) {
Log.e(TAG, "error in addService", e);
}
}
这里需要先调用getIServiceManager()获取service manager的远程代理,下面分析getIServiceManager()的实现过程
private static IServiceManager getIServiceManager() {
if (sServiceManager != null) {
return sServiceManager;
}
// Find the service manager
sServiceManager = ServiceManagerNative.asInterface(BinderInternal.getContextObject());
return sServiceManager;
}
如果service manager的代理对象已经存在就直接返回,否则调用ServiceManagerNative.asInterface(BinderInternal.getContextObject());方法创建.这里首先分析参数的获取BinderInternal.getContextObject().
3. frameworks/base/core/java/com/android/internal/os/BinderInternal.java
/**
* Return the global "context object" of the system. This is usually
* an implementation of IServiceManager, which you can use to find
* other services.
*/
public static final native IBinder getContextObject();
这是个native方法,另外从注释可以看出这是个全局对象,也就是单例.
4. frameworks/base/core/jni/android_util_Binder.cpp
定义jni函数
static const JNINativeMethod gBinderInternalMethods[] = {
/* name, signature, funcPtr */
{ "getContextObject", "()Landroid/os/IBinder;", (void*)android_os_BinderInternal_getContextObject },
{ "joinThreadPool", "()V", (void*)android_os_BinderInternal_joinThreadPool },
{ "disableBackgroundScheduling", "(Z)V", (void*)android_os_BinderInternal_disableBackgroundScheduling },
{ "handleGc", "()V", (void*)android_os_BinderInternal_handleGc }
};
static jobject android_os_BinderInternal_getContextObject(JNIEnv* env, jobject clazz)
{
sp<IBinder> b = ProcessState::self()->getContextObject(NULL);
return javaObjectForIBinder(env, b);
}
首先调用ProcessState的getContextObject()方法
5. frameworks/native/libs/binder/ProcessState.cpp
sp<IBinder> ProcessState::getContextObject(const sp<IBinder>& /*caller*/)
{
return getStrongProxyForHandle(0);
}
进入
sp<IBinder> ProcessState::getStrongProxyForHandle(int32_t handle)
{
sp<IBinder> result;
AutoMutex _l(mLock);
handle_entry* e = lookupHandleLocked(handle);
if (e != NULL) {
// We need to create a new BpBinder if there isn't currently one, OR we
// are unable to acquire a weak reference on this current one. See comment
// in getWeakProxyForHandle() for more info about this.
IBinder* b = e->binder;
if (b == NULL || !e->refs->attemptIncWeak(this)) {
if (handle == 0) {
// Special case for context manager...
// The context manager is the only object for which we create
// a BpBinder proxy without already holding a reference.
// Perform a dummy transaction to ensure the context manager
// is registered before we create the first local reference
// to it (which will occur when creating the BpBinder).
// If a local reference is created for the BpBinder when the
// context manager is not present, the driver will fail to
// provide a reference to the context manager, but the
// driver API does not return status.
//
// Note that this is not race-free if the context manager
// dies while this code runs.
//
// TODO: add a driver API to wait for context manager, or
// stop special casing handle 0 for context manager and add
// a driver API to get a handle to the context manager with
// proper reference counting.
Parcel data;
status_t status = IPCThreadState::self()->transact(
0, IBinder::PING_TRANSACTION, data, NULL, 0);
if (status == DEAD_OBJECT)
return NULL;
}
b = new BpBinder(handle);
e->binder = b;
if (b) e->refs = b->getWeakRefs();
result = b;
} else {
// This little bit of nastyness is to allow us to add a primary
// reference to the remote proxy when this team doesn't have one
// but another team is sending the handle to us.
result.force_set(b);
e->refs->decWeak(this);
}
}
return result;
}
这个方法根据传入的handle值获取BpBinder对象,handle=0的BpBinder是service manager对应的BpBinder.
当内存中有现成的可以使用就直接返回,没有就new一个返回.
6. frameworks/base/core/jni/android_util_Binder.cpp
然后执行
jobject javaObjectForIBinder(JNIEnv* env, const sp<IBinder>& val)
{
......
object = env->NewObject(gBinderProxyOffsets.mClass, gBinderProxyOffsets.mConstructor);
......
return object;
}
这个方法是根据刚创建的BpBinder对象创建Java层的Binder代理对象BinderProxy.也就是说BinderInternal.getContextObject()方法最终返回的是service manager对应的BinderProxy对象.
7. 再看sServiceManager = ServiceManagerNative.asInterface(BinderInternal.getContextObject());方法
然后进入ServiceManagerNative
static public IServiceManager asInterface(IBinder obj)
{
if (obj == null) {
return null;
}
IServiceManager in =
(IServiceManager)obj.queryLocalInterface(descriptor);
if (in != null) {
return in;
}
return new ServiceManagerProxy(obj);
}
首先检查本地是否已有service manager的远程代理对象,有就直接返回,没有就创建一个并把BinderProxy对象传入作为ServiceManagerProxy的mRemote成员变量.
到此就获取到了service manager的远程代理对象ServiceManagerProxy,他持有sevice manager的binder代理对象binderProxy.
8.调用ServiceManagerProxy的addService()方法
public void addService(String name, IBinder service, boolean allowIsolated)
throws RemoteException {
Parcel data = Parcel.obtain();
Parcel reply = Parcel.obtain();
data.writeInterfaceToken(IServiceManager.descriptor); ----写入RPC头信息
data.writeString(name); ----写入需要注册的service名称
data.writeStrongBinder(service); ----写入service
data.writeInt(allowIsolated ? 1 : 0);
mRemote.transact(ADD_SERVICE_TRANSACTION, data, reply, 0); ----调用BinderProxy的transact方法
reply.recycle();
data.recycle();
}
这里重点关注data.writeStrongBinder(service);
public final void writeStrongBinder(IBinder val) {
nativeWriteStrongBinder(mNativePtr, val);
}
这是一个native方法
9. frameworks/base/core/jni/android_os_Parcel.cpp
定义jni
{"nativeWriteStrongBinder", "(JLandroid/os/IBinder;)V", (void*)android_os_Parcel_writeStrongBinder},
static void android_os_Parcel_writeStrongBinder(JNIEnv* env, jclass clazz, jlong nativePtr, jobject object)
{
Parcel* parcel = reinterpret_cast<Parcel*>(nativePtr);
if (parcel != NULL) {
const status_t err = parcel->writeStrongBinder(ibinderForJavaObject(env, object)); ----这里需要关注参数
if (err != NO_ERROR) {
signalExceptionForError(env, clazz, err);
}
}
}
10. frameworks/base/core/jni/android_util_Binder.cpp
sp<IBinder> ibinderForJavaObject(JNIEnv* env, jobject obj)
{
if (obj == NULL) return NULL;
if (env->IsInstanceOf(obj, gBinderOffsets.mClass)) {
JavaBBinderHolder* jbh = (JavaBBinderHolder*)
env->GetLongField(obj, gBinderOffsets.mObject);
return jbh != NULL ? jbh->get(env, obj) : NULL;
}
if (env->IsInstanceOf(obj, gBinderProxyOffsets.mClass)) {
return (IBinder*)
env->GetLongField(obj, gBinderProxyOffsets.mObject);
}
ALOGW("ibinderForJavaObject: %p is not a Binder object", obj);
return NULL;
}
这里首先从JavaBBinderHolder中获取JavaBBinder对象,如果有就直接返回JavaBBinder对象,没有就调用JavaBBinderHolder的get()方法创建JavaBBinder并返回.
注意,这里创建binder本地对象JavaBBinder的时候需要将目标服务AMS的java对象obj传入.
所以,第8步中的data.writeStrongBinder(service); 实际上是将AMS的binder本地对象JavaBBinder写到了parcel中.
11. 再看第8步中的mRemote.transact(ADD_SERVICE_TRANSACTION, data, reply, 0);
由于mRemote是BinderProxy对象,所以这个传输是标准的传输,此处不再累述.
总结: 首先也是获取service manager的代理对象ServiceManagerProxy,然后调用该对象的addService()方法进行注册.addService()方法通过调用Parcel.writeStrongBinder(service)方法为service创建了binder本地对象JavaBBinder,并将JavaBBinder注册到service manamger中.注意,是注册service对应的JavaBBinder,而并非注册的service自身.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
3. 服务的获取(以ActivityManagerService为例)
应用进程在与系统服务通信的时候,都需要先从service manager处获取到目标服务的远程代理对象.在这里通过获取AMS的远程代理对象ActivityManagerProxy进行分析.
1.frameworks/base/core/java/android/app/ActivityManagerNative.java
调用getDefault()方法
static public IActivityManager getDefault() {
return gDefault.get();
}
private static final Singleton<IActivityManager> gDefault = new Singleton<IActivityManager>() {
protected IActivityManager create() {
IBinder b = ServiceManager.getService("activity");
if (false) {
Log.v("ActivityManager", "default service binder = " + b);
}
IActivityManager am = asInterface(b);
if (false) {
Log.v("ActivityManager", "default service = " + am);
}
return am;
}
};
2. frameworks/base/core/java/android/os/ServiceManager.java
public static IBinder getService(String name) {
try {
IBinder service = sCache.get(name);
if (service != null) {
return service;
} else {
return getIServiceManager().getService(name);
}
} catch (RemoteException e) {
Log.e(TAG, "error in getService", e);
}
return null;
}
首先看缓存中是否已有需要的service代理对象,有就直接返回,没有就调用service manager的getService方法.由于service manager是一个独立的进程,所以这里也需要用binder通信先获取service manager的代理.这个过程在这里就不展开.
3.frameworks/base/core/java/android/os/ServiceManagerNative.java
3.frameworks/base/core/java/android/os/ServiceManagerNative.java
public IBinder getService(String name) throws RemoteException {
Parcel data = Parcel.obtain();
Parcel reply = Parcel.obtain();
data.writeInterfaceToken(IServiceManager.descriptor);
data.writeString(name);
mRemote.transact(GET_SERVICE_TRANSACTION, data, reply, 0); (1)
IBinder binder = reply.readStrongBinder(); (2)
reply.recycle();
data.recycle();
return binder;
}
(1)处通过标准的传输流程将命令GET_SERVICE_TRANSACTION和通信数据拷贝到内核空间之后,通过不停的与驱动程序交互,读取service manager执行完返回的数据,并写到reply里面.
(2)处调用readStrongBinder()方法创建AMS的binder代理对象BpBinder和BinderProxy.然后返回BinderProxy.
4.frameworks/base/core/java/android/os/Parcel.java
public final IBinder readStrongBinder() {
return nativeReadStrongBinder(mNativePtr);
}
这是一个native方法
5. frameworks/base/core/jni/android_os_Parcel.cpp
jni方法定义
{"nativeReadStrongBinder", "(J)Landroid/os/IBinder;", (void*)android_os_Parcel_readStrongBinder}
jni方法实现
static jobject android_os_Parcel_readStrongBinder(JNIEnv* env, jclass clazz, jlong nativePtr)
{
Parcel* parcel = reinterpret_cast<Parcel*>(nativePtr);
if (parcel != NULL) {
return javaObjectForIBinder(env, parcel->readStrongBinder());
}
return NULL;
}
关键语句:return javaObjectForIBinder(env, parcel->readStrongBinder());
6.先看参数parcel->readStrongBinder()
frameworks/native/libs/binder/Parcel.cpp
sp<IBinder> Parcel::readStrongBinder() const
{
sp<IBinder> val;
unflatten_binder(ProcessState::self(), *this, &val);
return val;
}
status_t unflatten_binder(const sp<ProcessState>& proc,
const Parcel& in, sp<IBinder>* out)
{
const flat_binder_object* flat = in.readObject(false);
if (flat) {
switch (flat->type) {
case BINDER_TYPE_BINDER:
*out = reinterpret_cast<IBinder*>(flat->cookie);
return finish_unflatten_binder(NULL, *flat, in);
case BINDER_TYPE_HANDLE:
*out = proc->getStrongProxyForHandle(flat->handle);
return finish_unflatten_binder(
static_cast<BpBinder*>(out->get()), *flat, in);
}
}
return BAD_TYPE;
}
关键语句:*out = proc->getStrongProxyForHandle(flat->handle);
7.frameworks/native/libs/binder/ProcessState.cpp
sp<IBinder> ProcessState::getStrongProxyForHandle(int32_t handle)
{
sp<IBinder> result;
AutoMutex _l(mLock);
handle_entry* e = lookupHandleLocked(handle);
if (e != NULL) {
IBinder* b = e->binder;
if (b == NULL || !e->refs->attemptIncWeak(this)) {
if (handle == 0) {
Parcel data;
status_t status = IPCThreadState::self()->transact(
0, IBinder::PING_TRANSACTION, data, NULL, 0);
if (status == DEAD_OBJECT)
return NULL;
}
b = new BpBinder(handle);
e->binder = b;
if (b) e->refs = b->getWeakRefs();
result = b;
} else {
result.force_set(b);
e->refs->decWeak(this);
}
}
return result;
}
在该函数中根据驱动传上来的handle值创建AMS的BpBinder对象.
8. 再看javaObjectForIBinder(env, parcel->readStrongBinder());
frameworks/base/core/jni/android_util_Binder.cpp
jobject javaObjectForIBinder(JNIEnv* env, const sp<IBinder>& val)
{
......
object = env->NewObject(gBinderProxyOffsets.mClass, gBinderProxyOffsets.mConstructor);
......
return object;
}
该函数用BpBinder做参数创建了AMS的Java层binder代理对象BinderProxy. BinderProxy的成员变量mObject就是BpBinder.
及第3部中的IBinder binder = reply.readStrongBinder(); 语句返回了AMS的Java层binder代理对象BinderProxy.
9. 再看第1步中的IActivityManager am = asInterface(b);
frameworks/base/core/java/android/app/ActivityManagerNative.java
static public IActivityManager asInterface(IBinder obj) {
if (obj == null) {
return null;
}
IActivityManager in =
(IActivityManager)obj.queryLocalInterface(descriptor);
if (in != null) {
return in;
}
return new ActivityManagerProxy(obj);
}
总结: 首先还是获取service manager的远程代理对象ServiceManagerProxy,然后调用该对象的getService()方法获取AMS的远程代理对象ActivityManagerProxy.在getService()方法执行过程中,通过调用Parcel.readStrongBinder()方法为AMS创建Binder远程代理对象BpBinder和BinderProxy,并把从驱动传上来的handle值传入BpBinder.BinderProxy的成员变量mObject是对BpBinder的引用,最后调用ActivityManagerNative.asInterface()方法为AMS创建远程代理对象ActivityManagerProxy并把BinderProxy作为变量mRemote传入.每次通信的调用链为ActivityManagerProxy ---> BinderProxy ---> BpBinder.
到此,AMS服务个获取结束.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
总结:
服务的创建过程就是为Java服务创建JavaBBinderHoder对象,该对象与Java服务对象相互引用.
服务的注册过程就是为Java服务创建本地端的Binder对象JavaBBinder. 通过Parcel.writeStrongBinder(service)实现.
服务的获取过程就是为Java服务创建代理端的Binder对象BpBinder和BinderProxy,BpBinder位于native层,BinderProxy位于Java层.BinderProxy持有BpBinder的引用.最后使用BinderProxy作为参数创建服务的代理对象xxxManagerService.