一、学习笔记
1.Binder的核心是IPC和RPC
IPC: (Inter-Process Communication)进程间通信,指至少两个进程或线程间传送数据或信号的一些技术或方法。
RPC: (Remote-Process Communication)远程过程调用,类似于调用其它进程的函数。
ICP三要素:
源:A
目的:
B向ServiceManager注册led服务
A向ServiceManager查询led服务得到一个handle。
数据:buf[512]
RPC:
调用哪个函数:Server的函数编号
传给它什么参数:通过IPC的buf[]进行传输(使用的是binder驱动)。
返回结果:远端执行完返回值
2.系统自带的C实现的Binder程序:frameworks/native/cmds/servicemanager
service_manager.c 充当SM的角色,管理所有的Service,其本身也是一个服务。
binder.c 封装好的C库
bctest.c 半成品,演示怎样注册服务
3.int svcmgr_publish(struct binder_state *bs, uint32_t target, const char *name, void *ptr)
如果两个service的注册函数svcmgr_publish()的最后一个参数值相同,那么会报错。
正常情况下kill掉service_manager的时候,所有的service都会收到死亡通知,然后从链表中删除掉。但是若两个service指定为相同的ptr,
那么下次再重启service_manager的时候它会报这个服务已经存在了,由于相同的ptr导致kill掉service_manager时有一个并没有收到死亡通
知,也就不能从链表中删除。
4.binder应该是个内核线程,binder驱动中创建了一个单CPU的工作队列
# ps | grep binder
root 1073 2 0 0 c00a0668 00000000 S binder
5.驱动中数据结构表示
struct binder_ref : 表示引用
binder_node :表示一个Service
binder_proc :表示进程
binder_thread :表示线程的一个线程
6.handle是进程A(Client)对进程B(Service)提供的服务的引用,由handle可以对比desc成员找到binder_ref结构,
其*node成员指向表示某项服务的binder_node结构体,binder_node的proc成员指向表示进程的binder_proc结构体,其内部指向对应的进程
从而找到目的进程, 然后把数据给到目的进程的todo链表上,然后唤醒目的进程。
7.handler是per-process的
8.mmap使用户态可以直接操作内核态的内存。service mmap后,service用户空间就可以直接使用内核buff.所以binder通信只需要client端的
一次copy_from_user()一次拷贝。但是数据类型cmd还是要拷贝两次的。
9.发给驱动的命令和驱动发给用户的命令是不同的
A进程给B进程发送数据:A进程使用BC_TRANSACTION发送,经过binder驱动转换,B进程接收到是BR_TRANSACTION
B进程给A进程回复数据:B进程使用BC_REPLY发送,经过binder驱动转换,A进程接收到是BR_REPLY
只有这四种会涉及2个进程,其它的cmd都只涉及应用和驱动的通信。
10.每个进程在open("/dev/binder")时会给它创建一个binder_proc结构,每个进程在调用ioctl()的时候都会创建一个binder_thread结构。
11.Service可以分为匿名和具名Service. 前者没有注册到ServiceManager, 应用无法通过名字获取到访问该服务的Proxy对象。
12.但是创建子进程不能使用fork(),因为在service_manager.c中binder_open()中mmap()调用内核的binder_mmap():
这里指定了VM_DONTCOPY,在用户空间中使用fork()创建的子进程无法访问到service_manager.c中mmap()的内存
vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE;
只能使用pthread_create(),它会把mmap()的空间也拷贝过来。
13.创建多线程Service读取到驱动发出的BR_SPAWN_LOOPER后使用pthread_create()创建多线程。驱动处理不过来的时候就会向Service发送这个
请求命令。驱动判断处理不过来的方法是Service端没有线程在阻塞等待。Service可以设置最大线程数量。
14.addService执行流程
(1) test_service中为每个service构造flat_binder_object结构体,其type=BINDER_TYPE_BINDER表示让binder驱动为我这个Service构造一个
binder_node结构体,每个不同的服务的*binder或cookie域不同。
(2) ioctl(BINDER_WRITE_READ)来发送数据。数据中包括flat_binder_object结构体和服务的名字,数据中的handle=0表示发给SM。
(3) binder驱动中为每一个flat_binder_object构造一个binder_node结构体,它表示一个Service。
(4) binder驱动根据handle=0找到SM,然后把数据发给SM。并为SM构造binder_ref结构体。
(5) SM应用程序中收到数据后记录下Service的名字和handle(desc)值,记录的数据保存在svlist链表上。
15.getService执行流程
(1) test_client构造数据,name为要获取的Service的名字,handle为0表示向SM获取服务。
(2) 调用ioctl(BINDER_WRITE_READ)将数据发给binder驱动
(3) binder驱动根据handle=0找到SM进程,然后把数据发给SM进程
(4) SM进程从svlist链表中根据名字找到对应Service的handle值,然后将其写给驱动(目的是发给Client)。写给驱动的数据格式也是一个
flat_binder_object结构体,其type=BINDER_TYPE_HANDLE表示让驱动为client进程创建一个binder_ref结构体。
(5) 驱动发现收到的数据中有flat_binder_object结构体且其type=BINDER_TYPE_HANDLE就会为Client进程创建一个binder_ref结构体,
其handle为数据中的handle,node域指向要获得Service的binder_node结构体。
16.client使用Service的执行流程
(1) 构造数据,参数:code表示调用哪个函数,handle表示使用哪个Service
(2) 使用ioctl(BINDER_WRITE_READ)将数据发给驱动
(3) 驱动中取出数据,根据handle找到binder_ref结构体(对比desc域),根据其node域找到binder_node结构体(表示一个Service)从而找到
对应的Service,然后把数据传给这个Service进程,并设置数据中的ptr和cookie为binder_node的ptr和cookie.
(4) Service进程中根据ptr和cookie值得知Client想调用哪个函数(服务)。
17.mm showcommands 编译,打印出头文件搜索路径等信息
18.Binder系统过程分析
(1)addService("Hello", *ptr),在C实现的Demo中调用bio_put_obj(),将ptr赋值给flat_binder_object.binder,cookie赋值为0。内核中
表示服务的binder_node结构的*ptr和*cookie的值就是由Service应用程序传参控制的,可用于区分不同的Service。
void bio_put_obj(struct binder_io *bio, void *ptr) { /*内核中根据这个结构体创建binder_node结构体*/ struct flat_binder_object *obj; obj = bio_alloc_obj(bio); if (!obj) return; obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; obj->type = BINDER_TYPE_BINDER; obj->binder = (uintptr_t)ptr; obj->cookie = 0; /*这里的binder和cookie都是由Service决定的*/ }
a.binder驱动收到flat_binder_object结构体,且其type = BINDER_TYPE_BINDER(表示Service),就会在内核中创建一个binder_node结构体,
其target.ptr和cookie来自Service传入的flat_binder_object结构体。
b.由于addService()时指定的handle=0,binder驱动会将收到的数据转发给SM进程,并为SM进程构造一个binder_ref结构体,其node指向Hello
Service的binder_node结构体,其desc域为1(假设Hello Servie是系统中第一个向SM注册的服务)表示此Service是第一个注册进SM的服务。SM用
户空间程序会在svlist链表上创建一个svcinfo结构记录下这个Hello服务,其name="hello",handle就等于binder_ref中的desc(就是1)。
(2)getService("hello")
c.cilent向SM获取服务(构造数据handle=0),SM在svlist通过名字"hello"进行查找,找到对应的Hello服务,其handle为1,然后就构造一个flat_binder_object结构体
其type=BINDER_TYPE_HANDLE(表示引用),然后发给驱动。驱动检测数数据中有一个flat_binder_object结构体且type=BINDER_TYPE_HANDLE(表示引用)
就会为Client进程也创建一个binder_ref结构体,其node域指向表示Hello服务的binder_node结构体,其desc为1(假定Hello服务是Client进程中获取
的第一个服务),表示Hello服务是Client获取的第一个服务。然后返回handle=1给到Client用户空间程序,之后Client程序就可以通过handle来使用Hello
服务了。
(3)Client端使用Hello服务
d.构造数据(handle=1, 要使用Service的函数编号,参数),然后发给驱动。驱动根据handle=1在本进程的binder_ref树中找到对应的binder_ref结构体,然后
根据binder_ref.node找到表示Hello服务的binder_node结构体,然后根据binder_node.proc找到Hello服务的binder_proc结构体,然后根据binder_proc.tsk
找到Hello服务进程。然后驱动构造一个binder_transaction_data,并使Hello服务的binder_node.ptr域赋值给binder_transaction_data.target.ptr,
binder_node.cookie赋值给binder_transaction_data.cookie,然后binder驱动把数据发给Hello服务进程。
e.Hello服务进程收到数据解析出binder_transaction_data结构,根据其target.ptr和(或)cookie域知道Client要使用哪个服务(因为一个进程可能注册多个服务,
只不过这个Hello服务进程只注册了一个服务而已)。然后根据binder_transaction_data.code知道Client要调用服务的哪个函数。然后调用对应的函数,并把执行
结果返回给Client。
然后释放buffer。
binder_ref是区分进程的,binder_node表示服务是不区分进程的。用户空间的handle来源于binder_ref,所以它也是per进程的(除了SM的恒为0)。
二、测试Demo
测试Demo来自frameworks/native/cmds/servicemanager下的文件的修改
biner.c(修改支持Service多线程)
/* Copyright 2008 The Android Open Source Project */ #include <inttypes.h> #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <unistd.h> #include <fcntl.h> #include <sys/mman.h> #include <linux/types.h> #include<stdbool.h> #include <string.h> #include <pthread.h> #include "binder.h" #define MAX_BIO_SIZE (1 << 30) #define TRACE 0 #if TRACE #define ALOGI(x...) fprintf(stderr, "binder: " x) #define ALOGE(x...) fprintf(stderr, "binder: " x) #else #define ALOGI(x...) #define ALOGE(x...) #endif #define LOG_TAG "Binder" //#include <cutils/log.h> void bio_init_from_txn(struct binder_io *io, struct binder_transaction_data *txn); #if TRACE void hexdump(void *_data, size_t len) { unsigned char *data = _data; size_t count; for (count = 0; count < len; count++) { if ((count & 15) == 0) fprintf(stderr,"%04zu:", count); fprintf(stderr," %02x %c", *data, (*data < 32) || (*data > 126) ? '.' : *data); data++; if ((count & 15) == 15) fprintf(stderr," "); } if ((count & 15) != 0) fprintf(stderr," "); } void binder_dump_txn(struct binder_transaction_data *txn) { struct flat_binder_object *obj; binder_size_t *offs = (binder_size_t *)(uintptr_t)txn->data.ptr.offsets; size_t count = txn->offsets_size / sizeof(binder_size_t); fprintf(stderr," target %016"PRIx64" cookie %016"PRIx64" code %08x flags %08x ", (uint64_t)txn->target.ptr, (uint64_t)txn->cookie, txn->code, txn->flags); fprintf(stderr," pid %8d uid %8d data %"PRIu64" offs %"PRIu64" ", txn->sender_pid, txn->sender_euid, (uint64_t)txn->data_size, (uint64_t)txn->offsets_size); hexdump((void *)(uintptr_t)txn->data.ptr.buffer, txn->data_size); while (count--) { obj = (struct flat_binder_object *) (((char*)(uintptr_t)txn->data.ptr.buffer) + *offs++); fprintf(stderr," - type %08x flags %08x ptr %016"PRIx64" cookie %016"PRIx64" ", obj->type, obj->flags, (uint64_t)obj->binder, (uint64_t)obj->cookie); } } #define NAME(n) case n: return #n const char *cmd_name(uint32_t cmd) { switch(cmd) { NAME(BR_NOOP); NAME(BR_TRANSACTION_COMPLETE); NAME(BR_INCREFS); NAME(BR_ACQUIRE); NAME(BR_RELEASE); NAME(BR_DECREFS); NAME(BR_TRANSACTION); NAME(BR_REPLY); NAME(BR_FAILED_REPLY); NAME(BR_DEAD_REPLY); NAME(BR_DEAD_BINDER); default: return "???"; } } #else #define hexdump(a,b) do{} while (0) #define binder_dump_txn(txn) do{} while (0) #endif #define BIO_F_SHARED 0x01 /* needs to be buffer freed */ #define BIO_F_OVERFLOW 0x02 /* ran out of space */ #define BIO_F_IOERROR 0x04 #define BIO_F_MALLOCED 0x08 /* needs to be free()'d */ struct binder_state { int fd; void *mapped; size_t mapsize; }; struct binder_state *binder_open(size_t mapsize) { struct binder_state *bs; struct binder_version vers; bs = malloc(sizeof(*bs)); if (!bs) { errno = ENOMEM; return NULL; } bs->fd = open("/dev/binder", O_RDWR); if (bs->fd < 0) { fprintf(stderr,"binder: cannot open device (%s) ", strerror(errno)); goto fail_open; } if ((ioctl(bs->fd, BINDER_VERSION, &vers) == -1) || (vers.protocol_version != BINDER_CURRENT_PROTOCOL_VERSION)) { fprintf(stderr, "binder: driver version differs from user space "); goto fail_open; } bs->mapsize = mapsize; bs->mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0); if (bs->mapped == MAP_FAILED) { fprintf(stderr,"binder: cannot map device (%s) ", strerror(errno)); goto fail_map; } return bs; fail_map: close(bs->fd); fail_open: free(bs); return NULL; } void binder_close(struct binder_state *bs) { munmap(bs->mapped, bs->mapsize); close(bs->fd); free(bs); } int binder_become_context_manager(struct binder_state *bs) { return ioctl(bs->fd, BINDER_SET_CONTEXT_MGR, 0); } int binder_write(struct binder_state *bs, void *data, size_t len) { struct binder_write_read bwr; int res; bwr.write_size = len; bwr.write_consumed = 0; bwr.write_buffer = (uintptr_t) data; bwr.read_size = 0; bwr.read_consumed = 0; bwr.read_buffer = 0; res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); if (res < 0) { fprintf(stderr,"binder_write: ioctl failed (%s) ", strerror(errno)); } return res; } void binder_send_reply(struct binder_state *bs, struct binder_io *reply, binder_uintptr_t buffer_to_free, int status) { struct { uint32_t cmd_free; binder_uintptr_t buffer; uint32_t cmd_reply; struct binder_transaction_data txn; } __attribute__((packed)) data; data.cmd_free = BC_FREE_BUFFER; data.buffer = buffer_to_free; data.cmd_reply = BC_REPLY; data.txn.target.ptr = 0; data.txn.cookie = 0; data.txn.code = 0; if (status) { data.txn.flags = TF_STATUS_CODE; data.txn.data_size = sizeof(int); data.txn.offsets_size = 0; data.txn.data.ptr.buffer = (uintptr_t)&status; data.txn.data.ptr.offsets = 0; } else { data.txn.flags = 0; data.txn.data_size = reply->data - reply->data0; data.txn.offsets_size = ((char*) reply->offs) - ((char*) reply->offs0); data.txn.data.ptr.buffer = (uintptr_t)reply->data0; data.txn.data.ptr.offsets = (uintptr_t)reply->offs0; } binder_write(bs, &data, sizeof(data)); } /*这是另一个线程执行函数*/ void binder_thread_loop(struct binder_state *bs, binder_handler func) { int res; struct binder_write_read bwr; uint32_t readbuf[32]; bwr.write_size = 0; bwr.write_consumed = 0; bwr.write_buffer = 0; readbuf[0] = BC_REGISTER_LOOPER; binder_write(bs, readbuf, sizeof(uint32_t)); for (;;) { bwr.read_size = sizeof(readbuf); bwr.read_consumed = 0; bwr.read_buffer = (uintptr_t) readbuf; res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); if (res < 0) { ALOGE("binder_loop: ioctl failed (%s) ", strerror(errno)); break; } res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func); if (res == 0) { ALOGE("binder_loop: unexpected reply?! "); break; } if (res < 0) { ALOGE("binder_loop: io error %d %s ", res, strerror(errno)); break; } } } // struct binder_state *bs, binder_handler func struct binder_thread_desc { struct binder_state *bs; binder_handler func; }; static void * binder_thread_routine(struct binder_thread_desc *btd) { binder_thread_loop(btd->bs, btd->func); return NULL; } int binder_parse(struct binder_state *bs, struct binder_io *bio, uintptr_t ptr, size_t size, binder_handler func) { int r = 1; uintptr_t end = ptr + (uintptr_t) size; while (ptr < end) { uint32_t cmd = *(uint32_t *) ptr; ptr += sizeof(uint32_t); #if TRACE fprintf(stderr,"%s: ", cmd_name(cmd)); #endif switch(cmd) { case BR_NOOP: break; case BR_TRANSACTION_COMPLETE: break; case BR_INCREFS: case BR_ACQUIRE: case BR_RELEASE: case BR_DECREFS: #if TRACE fprintf(stderr," %p, %p ", (void *)ptr, (void *)(ptr + sizeof(void *))); #endif ptr += sizeof(struct binder_ptr_cookie); break; case BR_SPAWN_LOOPER: { /* create new thread */ //if (fork() == 0) { //} pthread_t thread; struct binder_thread_desc btd; btd.bs = bs; btd.func = func; pthread_create(&thread, NULL, binder_thread_routine, &btd); /* in new thread: ioctl(BC_ENTER_LOOPER), enter binder_looper */ break; } case BR_TRANSACTION: { struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr; if ((end - ptr) < sizeof(*txn)) { ALOGE("parse: txn too small! "); return -1; } binder_dump_txn(txn); if (func) { unsigned rdata[256/4]; struct binder_io msg; struct binder_io reply; int res; bio_init(&reply, rdata, sizeof(rdata), 4); bio_init_from_txn(&msg, txn); res = func(bs, txn, &msg, &reply); binder_send_reply(bs, &reply, txn->data.ptr.buffer, res); } ptr += sizeof(*txn); break; } case BR_REPLY: { struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr; if ((end - ptr) < sizeof(*txn)) { ALOGE("parse: reply too small! "); return -1; } binder_dump_txn(txn); if (bio) { bio_init_from_txn(bio, txn); bio = 0; } else { /* todo FREE BUFFER */ } ptr += sizeof(*txn); r = 0; break; } case BR_DEAD_BINDER: { struct binder_death *death = (struct binder_death *)(uintptr_t) *(binder_uintptr_t *)ptr; ptr += sizeof(binder_uintptr_t); death->func(bs, death->ptr); break; } case BR_FAILED_REPLY: r = -1; break; case BR_DEAD_REPLY: r = -1; break; default: ALOGE("parse: OOPS %d ", cmd); return -1; } } return r; } void binder_acquire(struct binder_state *bs, uint32_t target) { uint32_t cmd[2]; cmd[0] = BC_ACQUIRE; cmd[1] = target; binder_write(bs, cmd, sizeof(cmd)); } void binder_release(struct binder_state *bs, uint32_t target) { uint32_t cmd[2]; cmd[0] = BC_RELEASE; cmd[1] = target; binder_write(bs, cmd, sizeof(cmd)); } void binder_link_to_death(struct binder_state *bs, uint32_t target, struct binder_death *death) { struct { uint32_t cmd; struct binder_handle_cookie payload; } __attribute__((packed)) data; data.cmd = BC_REQUEST_DEATH_NOTIFICATION; data.payload.handle = target; data.payload.cookie = (uintptr_t) death; binder_write(bs, &data, sizeof(data)); } int binder_call(struct binder_state *bs, struct binder_io *msg, struct binder_io *reply, uint32_t target, uint32_t code) { int res; struct binder_write_read bwr; struct { uint32_t cmd; struct binder_transaction_data txn; } __attribute__((packed)) writebuf; unsigned readbuf[32]; if (msg->flags & BIO_F_OVERFLOW) { fprintf(stderr,"binder: txn buffer overflow "); goto fail; } writebuf.cmd = BC_TRANSACTION; writebuf.txn.target.handle = target; writebuf.txn.code = code; writebuf.txn.flags = 0; writebuf.txn.data_size = msg->data - msg->data0; writebuf.txn.offsets_size = ((char*) msg->offs) - ((char*) msg->offs0); writebuf.txn.data.ptr.buffer = (uintptr_t)msg->data0; writebuf.txn.data.ptr.offsets = (uintptr_t)msg->offs0; bwr.write_size = sizeof(writebuf); bwr.write_consumed = 0; bwr.write_buffer = (uintptr_t) &writebuf; hexdump(msg->data0, msg->data - msg->data0); for (;;) { bwr.read_size = sizeof(readbuf); bwr.read_consumed = 0; bwr.read_buffer = (uintptr_t) readbuf; res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); if (res < 0) { fprintf(stderr,"binder: ioctl failed (%s) ", strerror(errno)); goto fail; } res = binder_parse(bs, reply, (uintptr_t) readbuf, bwr.read_consumed, 0); if (res == 0) return 0; if (res < 0) goto fail; } fail: memset(reply, 0, sizeof(*reply)); reply->flags |= BIO_F_IOERROR; return -1; } void binder_set_maxthreads(struct binder_state *bs, int threads) { ioctl(bs->fd, BINDER_SET_MAX_THREADS, &threads); } void binder_loop(struct binder_state *bs, binder_handler func) { int res; struct binder_write_read bwr; uint32_t readbuf[32]; bwr.write_size = 0; bwr.write_consumed = 0; bwr.write_buffer = 0; readbuf[0] = BC_ENTER_LOOPER; binder_write(bs, readbuf, sizeof(uint32_t)); for (;;) { bwr.read_size = sizeof(readbuf); bwr.read_consumed = 0; bwr.read_buffer = (uintptr_t) readbuf; res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); if (res < 0) { ALOGE("binder_loop: ioctl failed (%s) ", strerror(errno)); break; } res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func); if (res == 0) { ALOGE("binder_loop: unexpected reply?! "); break; } if (res < 0) { ALOGE("binder_loop: io error %d %s ", res, strerror(errno)); break; } } } void bio_init_from_txn(struct binder_io *bio, struct binder_transaction_data *txn) { bio->data = bio->data0 = (char *)(intptr_t)txn->data.ptr.buffer; bio->offs = bio->offs0 = (binder_size_t *)(intptr_t)txn->data.ptr.offsets; bio->data_avail = txn->data_size; bio->offs_avail = txn->offsets_size / sizeof(size_t); bio->flags = BIO_F_SHARED; } void bio_init(struct binder_io *bio, void *data, size_t maxdata, size_t maxoffs) { size_t n = maxoffs * sizeof(size_t); if (n > maxdata) { bio->flags = BIO_F_OVERFLOW; bio->data_avail = 0; bio->offs_avail = 0; return; } bio->data = bio->data0 = (char *) data + n; bio->offs = bio->offs0 = data; bio->data_avail = maxdata - n; bio->offs_avail = maxoffs; bio->flags = 0; } static void *bio_alloc(struct binder_io *bio, size_t size) { size = (size + 3) & (~3); if (size > bio->data_avail) { bio->flags |= BIO_F_OVERFLOW; return NULL; } else { void *ptr = bio->data; bio->data += size; bio->data_avail -= size; return ptr; } } void binder_done(struct binder_state *bs, struct binder_io *msg, struct binder_io *reply) { struct { uint32_t cmd; uintptr_t buffer; } __attribute__((packed)) data; if (reply->flags & BIO_F_SHARED) { data.cmd = BC_FREE_BUFFER; data.buffer = (uintptr_t) reply->data0; binder_write(bs, &data, sizeof(data)); reply->flags = 0; } } static struct flat_binder_object *bio_alloc_obj(struct binder_io *bio) { struct flat_binder_object *obj; obj = bio_alloc(bio, sizeof(*obj)); if (obj && bio->offs_avail) { bio->offs_avail--; *bio->offs++ = ((char*) obj) - ((char*) bio->data0); return obj; } bio->flags |= BIO_F_OVERFLOW; return NULL; } void bio_put_uint32(struct binder_io *bio, uint32_t n) { uint32_t *ptr = bio_alloc(bio, sizeof(n)); if (ptr) *ptr = n; } void bio_put_obj(struct binder_io *bio, void *ptr) { struct flat_binder_object *obj; obj = bio_alloc_obj(bio); if (!obj) return; obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; obj->type = BINDER_TYPE_BINDER; obj->binder = (uintptr_t)ptr; obj->cookie = 0; } void bio_put_ref(struct binder_io *bio, uint32_t handle) { struct flat_binder_object *obj; if (handle) obj = bio_alloc_obj(bio); else obj = bio_alloc(bio, sizeof(*obj)); if (!obj) return; obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; obj->type = BINDER_TYPE_HANDLE; obj->handle = handle; obj->cookie = 0; } void bio_put_string16(struct binder_io *bio, const uint16_t *str) { size_t len; uint16_t *ptr; if (!str) { bio_put_uint32(bio, 0xffffffff); return; } len = 0; while (str[len]) len++; if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) { bio_put_uint32(bio, 0xffffffff); return; } /* Note: The payload will carry 32bit size instead of size_t */ bio_put_uint32(bio, (uint32_t) len); len = (len + 1) * sizeof(uint16_t); ptr = bio_alloc(bio, len); if (ptr) memcpy(ptr, str, len); } void bio_put_string16_x(struct binder_io *bio, const char *_str) { unsigned char *str = (unsigned char*) _str; size_t len; uint16_t *ptr; if (!str) { bio_put_uint32(bio, 0xffffffff); return; } len = strlen(_str); if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) { bio_put_uint32(bio, 0xffffffff); return; } /* Note: The payload will carry 32bit size instead of size_t */ bio_put_uint32(bio, len); ptr = bio_alloc(bio, (len + 1) * sizeof(uint16_t)); if (!ptr) return; while (*str) *ptr++ = *str++; *ptr++ = 0; } static void *bio_get(struct binder_io *bio, size_t size) { size = (size + 3) & (~3); if (bio->data_avail < size){ bio->data_avail = 0; bio->flags |= BIO_F_OVERFLOW; return NULL; } else { void *ptr = bio->data; bio->data += size; bio->data_avail -= size; return ptr; } } uint32_t bio_get_uint32(struct binder_io *bio) { uint32_t *ptr = bio_get(bio, sizeof(*ptr)); return ptr ? *ptr : 0; } uint16_t *bio_get_string16(struct binder_io *bio, size_t *sz) { size_t len; /* Note: The payload will carry 32bit size instead of size_t */ len = (size_t) bio_get_uint32(bio); if (sz) *sz = len; return bio_get(bio, (len + 1) * sizeof(uint16_t)); } static struct flat_binder_object *_bio_get_obj(struct binder_io *bio) { size_t n; size_t off = bio->data - bio->data0; /* TODO: be smarter about this? */ for (n = 0; n < bio->offs_avail; n++) { if (bio->offs[n] == off) return bio_get(bio, sizeof(struct flat_binder_object)); } bio->data_avail = 0; bio->flags |= BIO_F_OVERFLOW; return NULL; } uint32_t bio_get_ref(struct binder_io *bio) { struct flat_binder_object *obj; obj = _bio_get_obj(bio); if (!obj) return 0; if (obj->type == BINDER_TYPE_HANDLE) return obj->handle; return 0; }
test_server.c
/* Copyright 2008 The Android Open Source Project */ #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <linux/types.h> #include<stdbool.h> #include <string.h> #include <private/android_filesystem_config.h> #include "binder.h" #include "test_server.h" int svcmgr_publish(struct binder_state *bs, uint32_t target, const char *name, void *ptr) { int status; unsigned iodata[512/4]; struct binder_io msg, reply; bio_init(&msg, iodata, sizeof(iodata), 4); bio_put_uint32(&msg, 0); // strict mode header bio_put_string16_x(&msg, SVC_MGR_NAME); bio_put_string16_x(&msg, name); bio_put_obj(&msg, ptr); if (binder_call(bs, &msg, &reply, target, SVC_MGR_ADD_SERVICE)) return -1; status = bio_get_uint32(&reply); binder_done(bs, &msg, &reply); return status; } void sayhello(void) { static int cnt = 0; fprintf(stderr, "say hello : %d ", cnt++); } int sayhello_to(char *name) { static int cnt = 0; fprintf(stderr, "say hello to %s : %d ", name, cnt++); return cnt; } void saygoodbye(void) { static int cnt = 0; fprintf(stderr, "say goodbye : %d ", cnt++); } int saygoodbye_to(char *name) { static int cnt = 0; fprintf(stderr, "say goodbye to %s : %d ", name, cnt++); return cnt; } int hello_service_handler(struct binder_state *bs, struct binder_transaction_data *txn, struct binder_io *msg, struct binder_io *reply) { /* 根据txn->code知道要调用哪一个函数 * 如果需要参数, 可以从msg取出 * 如果要返回结果, 可以把结果放入reply */ /* sayhello * sayhello_to */ uint16_t *s; char name[512]; size_t len; uint32_t handle; uint32_t strict_policy; int i; // Equivalent to Parcel::enforceInterface(), reading the RPC // header with the strict mode policy mask and the interface name. // Note that we ignore the strict_policy and don't propagate it // further (since we do no outbound RPCs anyway). strict_policy = bio_get_uint32(msg); switch(txn->code) { case HELLO_SVR_CMD_SAYHELLO: sayhello(); return 0; case HELLO_SVR_CMD_SAYHELLO_TO: /* 从msg里取出字符串 */ s = bio_get_string16(msg, &len); if (s == NULL) { return -1; } for (i = 0; i < len; i++) name[i] = s[i]; name[i] = '�'; /* 处理 */ i = sayhello_to(name); /* 把结果放入reply */ bio_put_uint32(reply, i); break; default: fprintf(stderr, "unknown code %d ", txn->code); return -1; } return 0; } int goodbye_service_handler(struct binder_state *bs, struct binder_transaction_data *txn, struct binder_io *msg, struct binder_io *reply) { /* 根据txn->code知道要调用哪一个函数 * 如果需要参数, 可以从msg取出 * 如果要返回结果, 可以把结果放入reply */ /* sayhello * sayhello_to */ uint16_t *s; char name[512]; size_t len; uint32_t handle; uint32_t strict_policy; int i; // Equivalent to Parcel::enforceInterface(), reading the RPC // header with the strict mode policy mask and the interface name. // Note that we ignore the strict_policy and don't propagate it // further (since we do no outbound RPCs anyway). strict_policy = bio_get_uint32(msg); switch(txn->code) { case GOODBYE_SVR_CMD_SAYGOODBYE: saygoodbye(); return 0; case GOODBYE_SVR_CMD_SAYGOODBYE_TO: /* 从msg里取出字符串 */ s = bio_get_string16(msg, &len); if (s == NULL) { return -1; } for (i = 0; i < len; i++) name[i] = s[i]; name[i] = '�'; /* 处理 */ i = saygoodbye_to(name); /* 把结果放入reply */ bio_put_uint32(reply, i); break; default: fprintf(stderr, "unknown code %d ", txn->code); return -1; } return 0; } int test_server_handler(struct binder_state *bs, struct binder_transaction_data *txn, struct binder_io *msg, struct binder_io *reply) { int (*handler)(struct binder_state *bs, struct binder_transaction_data *txn, struct binder_io *msg, struct binder_io *reply); handler = (int (*)(struct binder_state *bs, struct binder_transaction_data *txn, struct binder_io *msg, struct binder_io *reply))txn->target.ptr; return handler(bs, txn, msg, reply); } int main(int argc, char **argv) { int fd; struct binder_state *bs; uint32_t svcmgr = BINDER_SERVICE_MANAGER; uint32_t handle; int ret; bs = binder_open(128*1024); if (!bs) { fprintf(stderr, "failed to open binder driver "); return -1; } /* add service */ ret = svcmgr_publish(bs, svcmgr, "hello", hello_service_handler); if (ret) { fprintf(stderr, "failed to publish hello service "); return -1; } ret = svcmgr_publish(bs, svcmgr, "goodbye", goodbye_service_handler); if (ret) { fprintf(stderr, "failed to publish goodbye service "); } #if 0 while (1) { /* read data */ /* parse data, and process */ /* reply */ } #endif binder_set_maxthreads(bs, 10); binder_loop(bs, test_server_handler); return 0; }
test_client.c
/* Copyright 2008 The Android Open Source Project */ #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <linux/types.h> #include<stdbool.h> #include <string.h> #include <private/android_filesystem_config.h> #include "binder.h" #include "test_server.h" uint32_t svcmgr_lookup(struct binder_state *bs, uint32_t target, const char *name) { uint32_t handle; unsigned iodata[512/4]; struct binder_io msg, reply; bio_init(&msg, iodata, sizeof(iodata), 4); bio_put_uint32(&msg, 0); // strict mode header bio_put_string16_x(&msg, SVC_MGR_NAME); bio_put_string16_x(&msg, name); if (binder_call(bs, &msg, &reply, target, SVC_MGR_CHECK_SERVICE)) return 0; handle = bio_get_ref(&reply); if (handle) binder_acquire(bs, handle); binder_done(bs, &msg, &reply); return handle; } struct binder_state *g_bs; uint32_t g_hello_handle; uint32_t g_goodbye_handle; void sayhello(void) { unsigned iodata[512/4]; struct binder_io msg, reply; /* 构造binder_io */ bio_init(&msg, iodata, sizeof(iodata), 4); /*这是写入的一个垃圾数据,没有使用*/ bio_put_uint32(&msg, 0); // strict mode header /* 放入参数 */ /* 调用binder_call */ if (binder_call(g_bs, &msg, &reply, g_hello_handle, HELLO_SVR_CMD_SAYHELLO)) return ; /* 从reply中解析出返回值 */ binder_done(g_bs, &msg, &reply); } int sayhello_to(char *name) { unsigned iodata[512/4]; struct binder_io msg, reply; int ret; /* 构造binder_io */ bio_init(&msg, iodata, sizeof(iodata), 4); bio_put_uint32(&msg, 0); // strict mode header /* 放入参数 */ bio_put_string16_x(&msg, name); /* 调用binder_call */ if (binder_call(g_bs, &msg, &reply, g_hello_handle, HELLO_SVR_CMD_SAYHELLO_TO)) return 0; /* 从reply中解析出返回值 */ ret = bio_get_uint32(&reply); binder_done(g_bs, &msg, &reply); return ret; } void saygoodbye(void) { unsigned iodata[512/4]; struct binder_io msg, reply; /* 构造binder_io */ bio_init(&msg, iodata, sizeof(iodata), 4); bio_put_uint32(&msg, 0); // strict mode header /* 放入参数 */ /* 调用binder_call */ if (binder_call(g_bs, &msg, &reply, g_goodbye_handle, GOODBYE_SVR_CMD_SAYGOODBYE)) return ; /* 从reply中解析出返回值 */ binder_done(g_bs, &msg, &reply); } int saygoodbye_to(char *name) { unsigned iodata[512/4]; struct binder_io msg, reply; int ret; /* 构造binder_io */ bio_init(&msg, iodata, sizeof(iodata), 4); bio_put_uint32(&msg, 0); // strict mode header /* 放入参数 */ bio_put_string16_x(&msg, name); /* 调用binder_call */ if (binder_call(g_bs, &msg, &reply, g_goodbye_handle, GOODBYE_SVR_CMD_SAYGOODBYE_TO)) return 0; /* 从reply中解析出返回值 */ ret = bio_get_uint32(&reply); binder_done(g_bs, &msg, &reply); return ret; } /* ./test_client hello * ./test_client hello <name> */ int main(int argc, char **argv) { int fd; struct binder_state *bs; uint32_t svcmgr = BINDER_SERVICE_MANAGER; uint32_t handle; int ret; if (argc < 2){ fprintf(stderr, "Usage: "); fprintf(stderr, "%s <hello|goodbye> ", argv[0]); fprintf(stderr, "%s <hello|goodbye> <name> ", argv[0]); return -1; } bs = binder_open(128*1024); if (!bs) { fprintf(stderr, "failed to open binder driver "); return -1; } g_bs = bs; /* get service */ handle = svcmgr_lookup(bs, svcmgr, "goodbye"); if (!handle) { fprintf(stderr, "failed to get goodbye service "); return -1; } g_goodbye_handle = handle; fprintf(stderr, "Handle for goodbye service = %d ", g_goodbye_handle); handle = svcmgr_lookup(bs, svcmgr, "hello"); if (!handle) { fprintf(stderr, "failed to get hello service "); return -1; } g_hello_handle = handle; fprintf(stderr, "Handle for hello service = %d ", g_hello_handle); /* send data to server */ if (!strcmp(argv[1], "hello")) { if (argc == 2) { sayhello(); } else if (argc == 3) { ret = sayhello_to(argv[2]); fprintf(stderr, "get ret of sayhello_to = %d ", ret); } } else if (!strcmp(argv[1], "goodbye")) { if (argc == 2) { saygoodbye(); } else if (argc == 3) { ret = saygoodbye_to(argv[2]); fprintf(stderr, "get ret of sayhello_to = %d ", ret); } } binder_release(bs, handle); return 0; }
代码:http://github.com/weidongshan/APP_0003_Binder_C_App.git
修改的加打印的驱动:http://github.com/weidongshan/DRV_0003_Binder.git
优秀博文:
Android Binder的设计与实现: http://blog.csdn.net/universus/article/details/6211589
binder双向传输栈分析:http://www.cnblogs.com/samchen2009/p/3316001.html