初始化Java层Binder框架
在Android系统中,在Java初创时期,系统会提前注册一些JNI函数,其中有一个函数专门负责搭建Java Binder和Native Binder交互关系
rameworks\base\core\jni\android_util_Binder.cpp
int register_android_os_Binder(JNIEnv* env)
{
//初始化Java Binder类和Native层的关系
if (int_register_android_os_Binder(env) < 0)
return -1;
//初始化Java BinderInternal类和Native层的关系
if (int_register_android_os_BinderInternal(env) < 0)
return -1;
//初始化Java BinderProxy类和Native层的关系
if (int_register_android_os_BinderProxy(env) < 0)
return -1;
//初始化Java Parcel类和Native层的关系
if (int_register_android_os_Parcel(env) < 0)
return -1;
return 0;
}
Binder类的初始化
static int int_register_android_os_Binder(JNIEnv* env)
{
jclass clazz;
//kBinderPathName为Java层中Binder类的全路径名,“android/os/Binder“
clazz = env->FindClass(kBinderPathName);
LOG_FATAL_IF(clazz == NULL, "Unable to find class android.os.Binder");
/*
gBinderOffSets是一个静态类对象,它专门保存Binder类的一些在JNI层中使用的信息,
如成员函数execTranscat的methodID,Binder类中成员mObject的fildID
*/
gBinderOffsets.mClass = (jclass) env->NewGlobalRef(clazz);
gBinderOffsets.mExecTransact
= env->GetMethodID(clazz, "execTransact", "(IIII)Z");
assert(gBinderOffsets.mExecTransact);
gBinderOffsets.mObject
= env->GetFieldID(clazz, "mObject", "I");
assert(gBinderOffsets.mObject);
//注册Binder类中native函数的实现
return AndroidRuntime::registerNativeMethods(
env, kBinderPathName,
gBinderMethods, NELEM(gBinderMethods));
}
BinderInternal类的初始化
static int int_register_android_os_BinderInternal(JNIEnv* env)
{
jclass clazz;
//根据BinderInternal的全路径名找到代表该类的jclass对象。全路径名为
// “com/android/internal/os/BinderInternal”
clazz = env->FindClass(kBinderInternalPathName);
LOG_FATAL_IF(clazz == NULL, "Unable to find class com.android.internal.os.BinderInternal");
gBinderInternalOffsets.mClass = (jclass) env->NewGlobalRef(clazz);
//获取forceBinderGc的methodID
gBinderInternalOffsets.mForceGc
= env->GetStaticMethodID(clazz, "forceBinderGc", "()V");
assert(gBinderInternalOffsets.mForceGc);
//注册BinderInternal类中native函数的实现
return AndroidRuntime::registerNativeMethods(
env, kBinderInternalPathName,
gBinderInternalMethods, NELEM(gBinderInternalMethods));
}
BinderProxy类的初始化
static int int_register_android_os_BinderProxy(JNIEnv* env)
{
jclass clazz;
clazz = env->FindClass("java/lang/ref/WeakReference");
LOG_FATAL_IF(clazz == NULL, "Unable to find class java.lang.ref.WeakReference");
//gWeakReferenceOffsets用来和WeakReference类打交道
gWeakReferenceOffsets.mClass = (jclass) env->NewGlobalRef(clazz);
//获取WeakReference类get函数的MethodID
gWeakReferenceOffsets.mGet
= env->GetMethodID(clazz, "get", "()Ljava/lang/Object;");
assert(gWeakReferenceOffsets.mGet);
//gErrorOffsets用来和Error类打交道
clazz = env->FindClass("java/lang/Error");
LOG_FATAL_IF(clazz == NULL, "Unable to find class java.lang.Error");
//gBinderProxyOffsets用来和BinderProxy类打交道
gErrorOffsets.mClass = (jclass) env->NewGlobalRef(clazz);
//获取BinderProxy的一些信息
clazz = env->FindClass(kBinderProxyPathName);
LOG_FATAL_IF(clazz == NULL, "Unable to find class android.os.BinderProxy");
gBinderProxyOffsets.mClass = (jclass) env->NewGlobalRef(clazz);
gBinderProxyOffsets.mConstructor
= env->GetMethodID(clazz, "<init>", "()V");
assert(gBinderProxyOffsets.mConstructor);
gBinderProxyOffsets.mSendDeathNotice
= env->GetStaticMethodID(clazz, "sendDeathNotice", "(Landroid/os/IBinder$DeathRecipient;)V");
assert(gBinderProxyOffsets.mSendDeathNotice);
gBinderProxyOffsets.mObject
= env->GetFieldID(clazz, "mObject", "I");
assert(gBinderProxyOffsets.mObject);
gBinderProxyOffsets.mSelf
= env->GetFieldID(clazz, "mSelf", "Ljava/lang/ref/WeakReference;");
assert(gBinderProxyOffsets.mSelf);
//注册BinderProxy native函数的实现
return AndroidRuntime::registerNativeMethods(
env, kBinderProxyPathName,
gBinderProxyMethods, NELEM(gBinderProxyMethods));
}
int_register_android_os_BinderProxy函数除了初始化BinderProxy类外,还获取了WeakReference类和Error类的一些信息。
通过一个例子来分析Java Binder的工作流程
首先分析AMS如何将自己注册到ServiceManager
然后分析AMS如何响应客户端的Binder调用请求。
frameworks\base\services\java\com\android\server\am\ActivityManagerService.java
public static void setSystemProcess() {
try {
ActivityManagerService m = mSelf;
//将ActivityManagerService服务注册到ServiceManager中
ServiceManager.addService("activity", m);
ServiceManager.addService("meminfo", new MemBinder(m));
if (MONITOR_CPU_USAGE) {
ServiceManager.addService("cpuinfo", new CpuBinder(m));
}
ServiceManager.addService("activity.broadcasts", new BroadcastsBinder(m));
ServiceManager.addService("activity.services", new ServicesBinder(m));
ServiceManager.addService("activity.senders", new SendersBinder(m));
ServiceManager.addService("activity.providers", new ProvidersBinder(m));
ServiceManager.addService("permission", new PermissionController(m));
ApplicationInfo info =
mSelf.mContext.getPackageManager().getApplicationInfo(
"android", STOCK_PM_FLAGS);
synchronized (mSelf) {
ProcessRecord app = mSelf.newProcessRecordLocked(
mSystemThread.getApplicationThread(), info,
info.processName);
app.persistent = true;
app.pid = Process.myPid();
app.maxAdj = SYSTEM_ADJ;
mSelf.mProcessNames.put(app.processName, app.info.uid, app);
synchronized (mSelf.mPidsSelfLocked) {
mSelf.mPidsSelfLocked.put(app.pid, app);
}
mSelf.updateLRUListLocked(app, true);
}
} catch (PackageManager.NameNotFoundException e) {
throw new RuntimeException(
"Unable to find android system package", e);
}
}
上面所示代码行的目的是将ActivityManagerService服务加到ServiceManager中
如何注册
向ServiceManager注册服务
frameworks\base\core\java\android\os\ServiceManager.java
/**
* Place a new @a service called @a name into the service
* manager.
*
* @param name the name of the new service
* @param service the service object
*/
public static void addService(String name, IBinder service) {
try {
//getIServiceManager返回什么
getIServiceManager().addService(name, service);
} catch (RemoteException e) {
Log.e(TAG, "error in addService", e);
}
}
private static IServiceManager getIServiceManager() {
if (sServiceManager != null) {
return sServiceManager;
}
// Find the service manager
//调用asInterface,传递的参数类型为IBinder
sServiceManager = ServiceManagerNative.asInterface(BinderInternal.getContextObject());
return sServiceManager;
}
asInterface的参数为BinderInternal.getContextObject的返回值。这是一个native的函数,其实现的代码为:
frameworks\base\core\jni\android_util_Binder.cpp
static jobject android_os_BinderInternal_getContextObject(JNIEnv* env, jobject clazz)
{
sp<IBinder> b = ProcessState::self()->getContextObject(NULL);
//由Native对象创建一个Java对象,下面分析该函数
return javaObjectForIBinder(env, b);
}
jobject javaObjectForIBinder(JNIEnv* env, const sp<IBinder>& val)
{
if (val == NULL) return NULL;
if (val->checkSubclass(&gBinderOffsets)) {
// One of our own!
jobject object = static_cast<JavaBBinder*>(val.get())->object();
//printf("objectForBinder %p: it's our own %p!\n", val.get(), object);
return object;
}
// For the rest of the function we will hold this lock, to serialize
// looking/creation of Java proxies for native Binder proxies.
//mProxyLock是一个全局的静态CMutex对象
AutoMutex _l(mProxyLock);
// Someone else's... do we know about it?
/*
val对象实际类型是BpBinder,读者可自行分析BpBinder.cpp中的findObject函数。
事实上,在Native层的BpBinder中有一个ObjectManager,它用来管理在Native BpBinder
上创建的Java BpBinder对象。下面这个findObject用来判断gBinderProxyOffsets
是否已经保存在ObjectManager中。如果是,那就需要删除这个旧的object
*/
jobject object = (jobject)val->findObject(&gBinderProxyOffsets);
if (object != NULL) {
jobject res = env->CallObjectMethod(object, gWeakReferenceOffsets.mGet);
if (res != NULL) {
LOGV("objectForBinder %p: found existing %p!\n", val.get(), res);
return res;
}
LOGV("Proxy object %p of IBinder %p no longer in working set!!!", object, val.get());
android_atomic_dec(&gNumProxyRefs);
val->detachObject(&gBinderProxyOffsets);
env->DeleteGlobalRef(object);
}
//创建一个新的BinderProxy对象,并注册到Native BpBinder对象的ObjectManager中
object = env->NewObject(gBinderProxyOffsets.mClass, gBinderProxyOffsets.mConstructor);
if (object != NULL) {
LOGV("objectForBinder %p: created new %p!\n", val.get(), object);
// The proxy holds a reference to the native object.
env->SetIntField(object, gBinderProxyOffsets.mObject, (int)val.get());
val->incStrong(object);
// The native object needs to hold a weak reference back to the
// proxy, so we can retrieve the same proxy if it is still active.
jobject refObject = env->NewGlobalRef(
env->GetObjectField(object, gBinderProxyOffsets.mSelf));
/*
将这个新创建的BinderProxy对象注册(attach)到BpBinder的ObjectManager中,
同时注册一个回收函数proxy_cleanup。当BinderProxy对象撤销(detach)的时候,
该函数会 被调用,以释放一些资源。读者可自行研究proxy_cleanup函数。
*/
val->attachObject(&gBinderProxyOffsets, refObject,
jnienv_to_javavm(env), proxy_cleanup);
// Note that a new object reference has been created.
//增加该Proxy对象的引用计数
android_atomic_inc(&gNumProxyRefs);
//下面这个函数用于垃圾回收。创建的Proxy对象一旦超过200个,该函数
//将调用BinderInter类的ForceGc做一次垃圾回收
incRefsCreated(env);
}
return object;
}
分析ServiceManagerNative类的asInterface函数
frameworks\base\core\java\android\os\ServiceManagerNative.java
/**
* Cast a Binder object into a service manager interface, generating
* a proxy if needed.
*/
static public IServiceManager asInterface(IBinder obj)
{
if (obj == null) {
return null;
}
IServiceManager in =
(IServiceManager)obj.queryLocalInterface(descriptor);
if (in != null) {
return in;
}
//以obj为参数,创建一个ServiceManagerProxy对象
return new ServiceManagerProxy(obj);
}
addService函数分析
分析ServiceManagerProxy的addService函数
public void addService(String name, IBinder service)
throws RemoteException {
Parcel data = Parcel.obtain();
Parcel reply = Parcel.obtain();
data.writeInterfaceToken(IServiceManager.descriptor);
data.writeString(name);
//注意下面这个writeStrongBinder函数,后面我们会详细分析它
data.writeStrongBinder(service);
//mRemote实际上就是BinderProxy对象,调用它的transact,将封装好的请求数据
//发送出去
mRemote.transact(ADD_SERVICE_TRANSACTION, data, reply, 0);
reply.recycle();
data.recycle();
}
BinderProxy的transact,是一个native函数,其实现函数的代码如下
frameworks\base\core\jni\android_util_Binder.cpp
static jboolean android_os_BinderProxy_transact(JNIEnv* env, jobject obj,
jint code, jobject dataObj,
jobject replyObj, jint flags)
{
if (dataObj == NULL) {
jniThrowException(env, "java/lang/NullPointerException", NULL);
return JNI_FALSE;
}
//从Java的Parcel对象中得到Native的Parcel对象
Parcel* data = parcelForJavaObject(env, dataObj);
if (data == NULL) {
return JNI_FALSE;
}
//得到一个用于接收回复的Parcel对象
Parcel* reply = parcelForJavaObject(env, replyObj);
if (reply == NULL && replyObj != NULL) {
return JNI_FALSE;
}
//从Java的BinderProxy对象中得到之前已经创建好的那个Native的BpBinder对象
IBinder* target = (IBinder*)
env->GetIntField(obj, gBinderProxyOffsets.mObject);
if (target == NULL) {
jniThrowException(env, "java/lang/IllegalStateException", "Binder has been finalized!");
return JNI_FALSE;
}
LOGV("Java code calling transact on %p in Java object %p with code %d\n",
target, obj, code);
//printf("Transact from Java code to %p sending: ", target); data->print();
//通过Native的BpBinder对象,将请求发送给ServiceManager
status_t err = target->transact(code, *data, reply, flags);
//if (reply) printf("Transact from Java code to %p received: ", target); reply->print();
if (err == NO_ERROR) {
return JNI_TRUE;
} else if (err == UNKNOWN_TRANSACTION) {
return JNI_FALSE;
}
signalExceptionForError(env, obj, err);
return JNI_FALSE;
}