一、學習筆記
1.Binder的核心是IPC和RPC
IPC: (Inter-Process Communication)進程間通信,指至少兩個進程或線程間傳送數據或信號的一些技術或方法。
RPC: (Remote-Process Communication)遠程過程調用,類似於調用其它進程的函數。
ICP三要素:
源:A
目的:
B向ServiceManager注冊led服務
A向ServiceManager查詢led服務得到一個handle。
數據:buf[512]
RPC:
調用哪個函數:Server的函數編號
傳給它什么參數:通過IPC的buf[]進行傳輸(使用的是binder驅動)。
返回結果:遠端執行完返回值
2.系統自帶的C實現的Binder程序:frameworks/native/cmds/servicemanager
service_manager.c 充當SM的角色,管理所有的Service,其本身也是一個服務。
binder.c 封裝好的C庫
bctest.c 半成品,演示怎樣注冊服務
3.int svcmgr_publish(struct binder_state *bs, uint32_t target, const char *name, void *ptr)
如果兩個service的注冊函數svcmgr_publish()的最后一個參數值相同,那么會報錯。
正常情況下kill掉service_manager的時候,所有的service都會收到死亡通知,然后從鏈表中刪除掉。但是若兩個service指定為相同的ptr,
那么下次再重啟service_manager的時候它會報這個服務已經存在了,由於相同的ptr導致kill掉service_manager時有一個並沒有收到死亡通
知,也就不能從鏈表中刪除。
4.binder應該是個內核線程,binder驅動中創建了一個單CPU的工作隊列
# ps | grep binder
root 1073 2 0 0 c00a0668 00000000 S binder
5.驅動中數據結構表示
struct binder_ref : 表示引用
binder_node :表示一個Service
binder_proc :表示進程
binder_thread :表示線程的一個線程
6.handle是進程A(Client)對進程B(Service)提供的服務的引用,由handle可以對比desc成員找到binder_ref結構,
其*node成員指向表示某項服務的binder_node結構體,binder_node的proc成員指向表示進程的binder_proc結構體,其內部指向對應的進程
從而找到目的進程, 然后把數據給到目的進程的todo鏈表上,然后喚醒目的進程。
7.handler是per-process的
8.mmap使用戶態可以直接操作內核態的內存。service mmap后,service用戶空間就可以直接使用內核buff.所以binder通信只需要client端的
一次copy_from_user()一次拷貝。但是數據類型cmd還是要拷貝兩次的。
9.發給驅動的命令和驅動發給用戶的命令是不同的
A進程給B進程發送數據:A進程使用BC_TRANSACTION發送,經過binder驅動轉換,B進程接收到是BR_TRANSACTION
B進程給A進程回復數據:B進程使用BC_REPLY發送,經過binder驅動轉換,A進程接收到是BR_REPLY
只有這四種會涉及2個進程,其它的cmd都只涉及應用和驅動的通信。
10.每個進程在open("/dev/binder")時會給它創建一個binder_proc結構,每個進程在調用ioctl()的時候都會創建一個binder_thread結構。
11.Service可以分為匿名和具名Service. 前者沒有注冊到ServiceManager, 應用無法通過名字獲取到訪問該服務的Proxy對象。
12.但是創建子進程不能使用fork(),因為在service_manager.c中binder_open()中mmap()調用內核的binder_mmap():
這里指定了VM_DONTCOPY,在用戶空間中使用fork()創建的子進程無法訪問到service_manager.c中mmap()的內存
vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE;
只能使用pthread_create(),它會把mmap()的空間也拷貝過來。
13.創建多線程Service讀取到驅動發出的BR_SPAWN_LOOPER后使用pthread_create()創建多線程。驅動處理不過來的時候就會向Service發送這個
請求命令。驅動判斷處理不過來的方法是Service端沒有線程在阻塞等待。Service可以設置最大線程數量。
14.addService執行流程
(1) test_service中為每個service構造flat_binder_object結構體,其type=BINDER_TYPE_BINDER表示讓binder驅動為我這個Service構造一個
binder_node結構體,每個不同的服務的*binder或cookie域不同。
(2) ioctl(BINDER_WRITE_READ)來發送數據。數據中包括flat_binder_object結構體和服務的名字,數據中的handle=0表示發給SM。
(3) binder驅動中為每一個flat_binder_object構造一個binder_node結構體,它表示一個Service。
(4) binder驅動根據handle=0找到SM,然后把數據發給SM。並為SM構造binder_ref結構體。
(5) SM應用程序中收到數據后記錄下Service的名字和handle(desc)值,記錄的數據保存在svlist鏈表上。
15.getService執行流程
(1) test_client構造數據,name為要獲取的Service的名字,handle為0表示向SM獲取服務。
(2) 調用ioctl(BINDER_WRITE_READ)將數據發給binder驅動
(3) binder驅動根據handle=0找到SM進程,然后把數據發給SM進程
(4) SM進程從svlist鏈表中根據名字找到對應Service的handle值,然后將其寫給驅動(目的是發給Client)。寫給驅動的數據格式也是一個
flat_binder_object結構體,其type=BINDER_TYPE_HANDLE表示讓驅動為client進程創建一個binder_ref結構體。
(5) 驅動發現收到的數據中有flat_binder_object結構體且其type=BINDER_TYPE_HANDLE就會為Client進程創建一個binder_ref結構體,
其handle為數據中的handle,node域指向要獲得Service的binder_node結構體。
16.client使用Service的執行流程
(1) 構造數據,參數:code表示調用哪個函數,handle表示使用哪個Service
(2) 使用ioctl(BINDER_WRITE_READ)將數據發給驅動
(3) 驅動中取出數據,根據handle找到binder_ref結構體(對比desc域),根據其node域找到binder_node結構體(表示一個Service)從而找到
對應的Service,然后把數據傳給這個Service進程,並設置數據中的ptr和cookie為binder_node的ptr和cookie.
(4) Service進程中根據ptr和cookie值得知Client想調用哪個函數(服務)。
17.mm showcommands 編譯,打印出頭文件搜索路徑等信息
18.Binder系統過程分析
(1)addService("Hello", *ptr),在C實現的Demo中調用bio_put_obj(),將ptr賦值給flat_binder_object.binder,cookie賦值為0。內核中
表示服務的binder_node結構的*ptr和*cookie的值就是由Service應用程序傳參控制的,可用於區分不同的Service。
void bio_put_obj(struct binder_io *bio, void *ptr) { /*內核中根據這個結構體創建binder_node結構體*/ struct flat_binder_object *obj; obj = bio_alloc_obj(bio); if (!obj) return; obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; obj->type = BINDER_TYPE_BINDER; obj->binder = (uintptr_t)ptr; obj->cookie = 0; /*這里的binder和cookie都是由Service決定的*/ }
a.binder驅動收到flat_binder_object結構體,且其type = BINDER_TYPE_BINDER(表示Service),就會在內核中創建一個binder_node結構體,
其target.ptr和cookie來自Service傳入的flat_binder_object結構體。
b.由於addService()時指定的handle=0,binder驅動會將收到的數據轉發給SM進程,並為SM進程構造一個binder_ref結構體,其node指向Hello
Service的binder_node結構體,其desc域為1(假設Hello Servie是系統中第一個向SM注冊的服務)表示此Service是第一個注冊進SM的服務。SM用
戶空間程序會在svlist鏈表上創建一個svcinfo結構記錄下這個Hello服務,其name="hello",handle就等於binder_ref中的desc(就是1)。
(2)getService("hello")
c.cilent向SM獲取服務(構造數據handle=0),SM在svlist通過名字"hello"進行查找,找到對應的Hello服務,其handle為1,然后就構造一個flat_binder_object結構體
其type=BINDER_TYPE_HANDLE(表示引用),然后發給驅動。驅動檢測數數據中有一個flat_binder_object結構體且type=BINDER_TYPE_HANDLE(表示引用)
就會為Client進程也創建一個binder_ref結構體,其node域指向表示Hello服務的binder_node結構體,其desc為1(假定Hello服務是Client進程中獲取
的第一個服務),表示Hello服務是Client獲取的第一個服務。然后返回handle=1給到Client用戶空間程序,之后Client程序就可以通過handle來使用Hello
服務了。
(3)Client端使用Hello服務
d.構造數據(handle=1, 要使用Service的函數編號,參數),然后發給驅動。驅動根據handle=1在本進程的binder_ref樹中找到對應的binder_ref結構體,然后
根據binder_ref.node找到表示Hello服務的binder_node結構體,然后根據binder_node.proc找到Hello服務的binder_proc結構體,然后根據binder_proc.tsk
找到Hello服務進程。然后驅動構造一個binder_transaction_data,並使Hello服務的binder_node.ptr域賦值給binder_transaction_data.target.ptr,
binder_node.cookie賦值給binder_transaction_data.cookie,然后binder驅動把數據發給Hello服務進程。
e.Hello服務進程收到數據解析出binder_transaction_data結構,根據其target.ptr和(或)cookie域知道Client要使用哪個服務(因為一個進程可能注冊多個服務,
只不過這個Hello服務進程只注冊了一個服務而已)。然后根據binder_transaction_data.code知道Client要調用服務的哪個函數。然后調用對應的函數,並把執行
結果返回給Client。
然后釋放buffer。
binder_ref是區分進程的,binder_node表示服務是不區分進程的。用戶空間的handle來源於binder_ref,所以它也是per進程的(除了SM的恆為0)。
二、測試Demo
測試Demo來自frameworks/native/cmds/servicemanager下的文件的修改
biner.c(修改支持Service多線程)
/* Copyright 2008 The Android Open Source Project */ #include <inttypes.h> #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <unistd.h> #include <fcntl.h> #include <sys/mman.h> #include <linux/types.h> #include<stdbool.h> #include <string.h> #include <pthread.h> #include "binder.h" #define MAX_BIO_SIZE (1 << 30) #define TRACE 0 #if TRACE #define ALOGI(x...) fprintf(stderr, "binder: " x) #define ALOGE(x...) fprintf(stderr, "binder: " x) #else #define ALOGI(x...) #define ALOGE(x...) #endif #define LOG_TAG "Binder" //#include <cutils/log.h> void bio_init_from_txn(struct binder_io *io, struct binder_transaction_data *txn); #if TRACE void hexdump(void *_data, size_t len) { unsigned char *data = _data; size_t count; for (count = 0; count < len; count++) { if ((count & 15) == 0) fprintf(stderr,"%04zu:", count); fprintf(stderr," %02x %c", *data, (*data < 32) || (*data > 126) ? '.' : *data); data++; if ((count & 15) == 15) fprintf(stderr,"\n"); } if ((count & 15) != 0) fprintf(stderr,"\n"); } void binder_dump_txn(struct binder_transaction_data *txn) { struct flat_binder_object *obj; binder_size_t *offs = (binder_size_t *)(uintptr_t)txn->data.ptr.offsets; size_t count = txn->offsets_size / sizeof(binder_size_t); fprintf(stderr," target %016"PRIx64" cookie %016"PRIx64" code %08x flags %08x\n", (uint64_t)txn->target.ptr, (uint64_t)txn->cookie, txn->code, txn->flags); fprintf(stderr," pid %8d uid %8d data %"PRIu64" offs %"PRIu64"\n", txn->sender_pid, txn->sender_euid, (uint64_t)txn->data_size, (uint64_t)txn->offsets_size); hexdump((void *)(uintptr_t)txn->data.ptr.buffer, txn->data_size); while (count--) { obj = (struct flat_binder_object *) (((char*)(uintptr_t)txn->data.ptr.buffer) + *offs++); fprintf(stderr," - type %08x flags %08x ptr %016"PRIx64" cookie %016"PRIx64"\n", obj->type, obj->flags, (uint64_t)obj->binder, (uint64_t)obj->cookie); } } #define NAME(n) case n: return #n const char *cmd_name(uint32_t cmd) { switch(cmd) { NAME(BR_NOOP); NAME(BR_TRANSACTION_COMPLETE); NAME(BR_INCREFS); NAME(BR_ACQUIRE); NAME(BR_RELEASE); NAME(BR_DECREFS); NAME(BR_TRANSACTION); NAME(BR_REPLY); NAME(BR_FAILED_REPLY); NAME(BR_DEAD_REPLY); NAME(BR_DEAD_BINDER); default: return "???"; } } #else #define hexdump(a,b) do{} while (0) #define binder_dump_txn(txn) do{} while (0) #endif #define BIO_F_SHARED 0x01 /* needs to be buffer freed */ #define BIO_F_OVERFLOW 0x02 /* ran out of space */ #define BIO_F_IOERROR 0x04 #define BIO_F_MALLOCED 0x08 /* needs to be free()'d */ struct binder_state { int fd; void *mapped; size_t mapsize; }; struct binder_state *binder_open(size_t mapsize) { struct binder_state *bs; struct binder_version vers; bs = malloc(sizeof(*bs)); if (!bs) { errno = ENOMEM; return NULL; } bs->fd = open("/dev/binder", O_RDWR); if (bs->fd < 0) { fprintf(stderr,"binder: cannot open device (%s)\n", strerror(errno)); goto fail_open; } if ((ioctl(bs->fd, BINDER_VERSION, &vers) == -1) || (vers.protocol_version != BINDER_CURRENT_PROTOCOL_VERSION)) { fprintf(stderr, "binder: driver version differs from user space\n"); goto fail_open; } bs->mapsize = mapsize; bs->mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0); if (bs->mapped == MAP_FAILED) { fprintf(stderr,"binder: cannot map device (%s)\n", strerror(errno)); goto fail_map; } return bs; fail_map: close(bs->fd); fail_open: free(bs); return NULL; } void binder_close(struct binder_state *bs) { munmap(bs->mapped, bs->mapsize); close(bs->fd); free(bs); } int binder_become_context_manager(struct binder_state *bs) { return ioctl(bs->fd, BINDER_SET_CONTEXT_MGR, 0); } int binder_write(struct binder_state *bs, void *data, size_t len) { struct binder_write_read bwr; int res; bwr.write_size = len; bwr.write_consumed = 0; bwr.write_buffer = (uintptr_t) data; bwr.read_size = 0; bwr.read_consumed = 0; bwr.read_buffer = 0; res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); if (res < 0) { fprintf(stderr,"binder_write: ioctl failed (%s)\n", strerror(errno)); } return res; } void binder_send_reply(struct binder_state *bs, struct binder_io *reply, binder_uintptr_t buffer_to_free, int status) { struct { uint32_t cmd_free; binder_uintptr_t buffer; uint32_t cmd_reply; struct binder_transaction_data txn; } __attribute__((packed)) data; data.cmd_free = BC_FREE_BUFFER; data.buffer = buffer_to_free; data.cmd_reply = BC_REPLY; data.txn.target.ptr = 0; data.txn.cookie = 0; data.txn.code = 0; if (status) { data.txn.flags = TF_STATUS_CODE; data.txn.data_size = sizeof(int); data.txn.offsets_size = 0; data.txn.data.ptr.buffer = (uintptr_t)&status; data.txn.data.ptr.offsets = 0; } else { data.txn.flags = 0; data.txn.data_size = reply->data - reply->data0; data.txn.offsets_size = ((char*) reply->offs) - ((char*) reply->offs0); data.txn.data.ptr.buffer = (uintptr_t)reply->data0; data.txn.data.ptr.offsets = (uintptr_t)reply->offs0; } binder_write(bs, &data, sizeof(data)); } /*這是另一個線程執行函數*/ void binder_thread_loop(struct binder_state *bs, binder_handler func) { int res; struct binder_write_read bwr; uint32_t readbuf[32]; bwr.write_size = 0; bwr.write_consumed = 0; bwr.write_buffer = 0; readbuf[0] = BC_REGISTER_LOOPER; binder_write(bs, readbuf, sizeof(uint32_t)); for (;;) { bwr.read_size = sizeof(readbuf); bwr.read_consumed = 0; bwr.read_buffer = (uintptr_t) readbuf; res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); if (res < 0) { ALOGE("binder_loop: ioctl failed (%s)\n", strerror(errno)); break; } res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func); if (res == 0) { ALOGE("binder_loop: unexpected reply?!\n"); break; } if (res < 0) { ALOGE("binder_loop: io error %d %s\n", res, strerror(errno)); break; } } } // struct binder_state *bs, binder_handler func struct binder_thread_desc { struct binder_state *bs; binder_handler func; }; static void * binder_thread_routine(struct binder_thread_desc *btd) { binder_thread_loop(btd->bs, btd->func); return NULL; } int binder_parse(struct binder_state *bs, struct binder_io *bio, uintptr_t ptr, size_t size, binder_handler func) { int r = 1; uintptr_t end = ptr + (uintptr_t) size; while (ptr < end) { uint32_t cmd = *(uint32_t *) ptr; ptr += sizeof(uint32_t); #if TRACE fprintf(stderr,"%s:\n", cmd_name(cmd)); #endif switch(cmd) { case BR_NOOP: break; case BR_TRANSACTION_COMPLETE: break; case BR_INCREFS: case BR_ACQUIRE: case BR_RELEASE: case BR_DECREFS: #if TRACE fprintf(stderr," %p, %p\n", (void *)ptr, (void *)(ptr + sizeof(void *))); #endif ptr += sizeof(struct binder_ptr_cookie); break; case BR_SPAWN_LOOPER: { /* create new thread */ //if (fork() == 0) { //} pthread_t thread; struct binder_thread_desc btd; btd.bs = bs; btd.func = func; pthread_create(&thread, NULL, binder_thread_routine, &btd); /* in new thread: ioctl(BC_ENTER_LOOPER), enter binder_looper */ break; } case BR_TRANSACTION: { struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr; if ((end - ptr) < sizeof(*txn)) { ALOGE("parse: txn too small!\n"); return -1; } binder_dump_txn(txn); if (func) { unsigned rdata[256/4]; struct binder_io msg; struct binder_io reply; int res; bio_init(&reply, rdata, sizeof(rdata), 4); bio_init_from_txn(&msg, txn); res = func(bs, txn, &msg, &reply); binder_send_reply(bs, &reply, txn->data.ptr.buffer, res); } ptr += sizeof(*txn); break; } case BR_REPLY: { struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr; if ((end - ptr) < sizeof(*txn)) { ALOGE("parse: reply too small!\n"); return -1; } binder_dump_txn(txn); if (bio) { bio_init_from_txn(bio, txn); bio = 0; } else { /* todo FREE BUFFER */ } ptr += sizeof(*txn); r = 0; break; } case BR_DEAD_BINDER: { struct binder_death *death = (struct binder_death *)(uintptr_t) *(binder_uintptr_t *)ptr; ptr += sizeof(binder_uintptr_t); death->func(bs, death->ptr); break; } case BR_FAILED_REPLY: r = -1; break; case BR_DEAD_REPLY: r = -1; break; default: ALOGE("parse: OOPS %d\n", cmd); return -1; } } return r; } void binder_acquire(struct binder_state *bs, uint32_t target) { uint32_t cmd[2]; cmd[0] = BC_ACQUIRE; cmd[1] = target; binder_write(bs, cmd, sizeof(cmd)); } void binder_release(struct binder_state *bs, uint32_t target) { uint32_t cmd[2]; cmd[0] = BC_RELEASE; cmd[1] = target; binder_write(bs, cmd, sizeof(cmd)); } void binder_link_to_death(struct binder_state *bs, uint32_t target, struct binder_death *death) { struct { uint32_t cmd; struct binder_handle_cookie payload; } __attribute__((packed)) data; data.cmd = BC_REQUEST_DEATH_NOTIFICATION; data.payload.handle = target; data.payload.cookie = (uintptr_t) death; binder_write(bs, &data, sizeof(data)); } int binder_call(struct binder_state *bs, struct binder_io *msg, struct binder_io *reply, uint32_t target, uint32_t code) { int res; struct binder_write_read bwr; struct { uint32_t cmd; struct binder_transaction_data txn; } __attribute__((packed)) writebuf; unsigned readbuf[32]; if (msg->flags & BIO_F_OVERFLOW) { fprintf(stderr,"binder: txn buffer overflow\n"); goto fail; } writebuf.cmd = BC_TRANSACTION; writebuf.txn.target.handle = target; writebuf.txn.code = code; writebuf.txn.flags = 0; writebuf.txn.data_size = msg->data - msg->data0; writebuf.txn.offsets_size = ((char*) msg->offs) - ((char*) msg->offs0); writebuf.txn.data.ptr.buffer = (uintptr_t)msg->data0; writebuf.txn.data.ptr.offsets = (uintptr_t)msg->offs0; bwr.write_size = sizeof(writebuf); bwr.write_consumed = 0; bwr.write_buffer = (uintptr_t) &writebuf; hexdump(msg->data0, msg->data - msg->data0); for (;;) { bwr.read_size = sizeof(readbuf); bwr.read_consumed = 0; bwr.read_buffer = (uintptr_t) readbuf; res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); if (res < 0) { fprintf(stderr,"binder: ioctl failed (%s)\n", strerror(errno)); goto fail; } res = binder_parse(bs, reply, (uintptr_t) readbuf, bwr.read_consumed, 0); if (res == 0) return 0; if (res < 0) goto fail; } fail: memset(reply, 0, sizeof(*reply)); reply->flags |= BIO_F_IOERROR; return -1; } void binder_set_maxthreads(struct binder_state *bs, int threads) { ioctl(bs->fd, BINDER_SET_MAX_THREADS, &threads); } void binder_loop(struct binder_state *bs, binder_handler func) { int res; struct binder_write_read bwr; uint32_t readbuf[32]; bwr.write_size = 0; bwr.write_consumed = 0; bwr.write_buffer = 0; readbuf[0] = BC_ENTER_LOOPER; binder_write(bs, readbuf, sizeof(uint32_t)); for (;;) { bwr.read_size = sizeof(readbuf); bwr.read_consumed = 0; bwr.read_buffer = (uintptr_t) readbuf; res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); if (res < 0) { ALOGE("binder_loop: ioctl failed (%s)\n", strerror(errno)); break; } res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func); if (res == 0) { ALOGE("binder_loop: unexpected reply?!\n"); break; } if (res < 0) { ALOGE("binder_loop: io error %d %s\n", res, strerror(errno)); break; } } } void bio_init_from_txn(struct binder_io *bio, struct binder_transaction_data *txn) { bio->data = bio->data0 = (char *)(intptr_t)txn->data.ptr.buffer; bio->offs = bio->offs0 = (binder_size_t *)(intptr_t)txn->data.ptr.offsets; bio->data_avail = txn->data_size; bio->offs_avail = txn->offsets_size / sizeof(size_t); bio->flags = BIO_F_SHARED; } void bio_init(struct binder_io *bio, void *data, size_t maxdata, size_t maxoffs) { size_t n = maxoffs * sizeof(size_t); if (n > maxdata) { bio->flags = BIO_F_OVERFLOW; bio->data_avail = 0; bio->offs_avail = 0; return; } bio->data = bio->data0 = (char *) data + n; bio->offs = bio->offs0 = data; bio->data_avail = maxdata - n; bio->offs_avail = maxoffs; bio->flags = 0; } static void *bio_alloc(struct binder_io *bio, size_t size) { size = (size + 3) & (~3); if (size > bio->data_avail) { bio->flags |= BIO_F_OVERFLOW; return NULL; } else { void *ptr = bio->data; bio->data += size; bio->data_avail -= size; return ptr; } } void binder_done(struct binder_state *bs, struct binder_io *msg, struct binder_io *reply) { struct { uint32_t cmd; uintptr_t buffer; } __attribute__((packed)) data; if (reply->flags & BIO_F_SHARED) { data.cmd = BC_FREE_BUFFER; data.buffer = (uintptr_t) reply->data0; binder_write(bs, &data, sizeof(data)); reply->flags = 0; } } static struct flat_binder_object *bio_alloc_obj(struct binder_io *bio) { struct flat_binder_object *obj; obj = bio_alloc(bio, sizeof(*obj)); if (obj && bio->offs_avail) { bio->offs_avail--; *bio->offs++ = ((char*) obj) - ((char*) bio->data0); return obj; } bio->flags |= BIO_F_OVERFLOW; return NULL; } void bio_put_uint32(struct binder_io *bio, uint32_t n) { uint32_t *ptr = bio_alloc(bio, sizeof(n)); if (ptr) *ptr = n; } void bio_put_obj(struct binder_io *bio, void *ptr) { struct flat_binder_object *obj; obj = bio_alloc_obj(bio); if (!obj) return; obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; obj->type = BINDER_TYPE_BINDER; obj->binder = (uintptr_t)ptr; obj->cookie = 0; } void bio_put_ref(struct binder_io *bio, uint32_t handle) { struct flat_binder_object *obj; if (handle) obj = bio_alloc_obj(bio); else obj = bio_alloc(bio, sizeof(*obj)); if (!obj) return; obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; obj->type = BINDER_TYPE_HANDLE; obj->handle = handle; obj->cookie = 0; } void bio_put_string16(struct binder_io *bio, const uint16_t *str) { size_t len; uint16_t *ptr; if (!str) { bio_put_uint32(bio, 0xffffffff); return; } len = 0; while (str[len]) len++; if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) { bio_put_uint32(bio, 0xffffffff); return; } /* Note: The payload will carry 32bit size instead of size_t */ bio_put_uint32(bio, (uint32_t) len); len = (len + 1) * sizeof(uint16_t); ptr = bio_alloc(bio, len); if (ptr) memcpy(ptr, str, len); } void bio_put_string16_x(struct binder_io *bio, const char *_str) { unsigned char *str = (unsigned char*) _str; size_t len; uint16_t *ptr; if (!str) { bio_put_uint32(bio, 0xffffffff); return; } len = strlen(_str); if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) { bio_put_uint32(bio, 0xffffffff); return; } /* Note: The payload will carry 32bit size instead of size_t */ bio_put_uint32(bio, len); ptr = bio_alloc(bio, (len + 1) * sizeof(uint16_t)); if (!ptr) return; while (*str) *ptr++ = *str++; *ptr++ = 0; } static void *bio_get(struct binder_io *bio, size_t size) { size = (size + 3) & (~3); if (bio->data_avail < size){ bio->data_avail = 0; bio->flags |= BIO_F_OVERFLOW; return NULL; } else { void *ptr = bio->data; bio->data += size; bio->data_avail -= size; return ptr; } } uint32_t bio_get_uint32(struct binder_io *bio) { uint32_t *ptr = bio_get(bio, sizeof(*ptr)); return ptr ? *ptr : 0; } uint16_t *bio_get_string16(struct binder_io *bio, size_t *sz) { size_t len; /* Note: The payload will carry 32bit size instead of size_t */ len = (size_t) bio_get_uint32(bio); if (sz) *sz = len; return bio_get(bio, (len + 1) * sizeof(uint16_t)); } static struct flat_binder_object *_bio_get_obj(struct binder_io *bio) { size_t n; size_t off = bio->data - bio->data0; /* TODO: be smarter about this? */ for (n = 0; n < bio->offs_avail; n++) { if (bio->offs[n] == off) return bio_get(bio, sizeof(struct flat_binder_object)); } bio->data_avail = 0; bio->flags |= BIO_F_OVERFLOW; return NULL; } uint32_t bio_get_ref(struct binder_io *bio) { struct flat_binder_object *obj; obj = _bio_get_obj(bio); if (!obj) return 0; if (obj->type == BINDER_TYPE_HANDLE) return obj->handle; return 0; }
test_server.c
/* Copyright 2008 The Android Open Source Project */ #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <linux/types.h> #include<stdbool.h> #include <string.h> #include <private/android_filesystem_config.h> #include "binder.h" #include "test_server.h" int svcmgr_publish(struct binder_state *bs, uint32_t target, const char *name, void *ptr) { int status; unsigned iodata[512/4]; struct binder_io msg, reply; bio_init(&msg, iodata, sizeof(iodata), 4); bio_put_uint32(&msg, 0); // strict mode header bio_put_string16_x(&msg, SVC_MGR_NAME); bio_put_string16_x(&msg, name); bio_put_obj(&msg, ptr); if (binder_call(bs, &msg, &reply, target, SVC_MGR_ADD_SERVICE)) return -1; status = bio_get_uint32(&reply); binder_done(bs, &msg, &reply); return status; } void sayhello(void) { static int cnt = 0; fprintf(stderr, "say hello : %d\n", cnt++); } int sayhello_to(char *name) { static int cnt = 0; fprintf(stderr, "say hello to %s : %d\n", name, cnt++); return cnt; } void saygoodbye(void) { static int cnt = 0; fprintf(stderr, "say goodbye : %d\n", cnt++); } int saygoodbye_to(char *name) { static int cnt = 0; fprintf(stderr, "say goodbye to %s : %d\n", name, cnt++); return cnt; } int hello_service_handler(struct binder_state *bs, struct binder_transaction_data *txn, struct binder_io *msg, struct binder_io *reply) { /* 根據txn->code知道要調用哪一個函數 * 如果需要參數, 可以從msg取出 * 如果要返回結果, 可以把結果放入reply */ /* sayhello * sayhello_to */ uint16_t *s; char name[512]; size_t len; uint32_t handle; uint32_t strict_policy; int i; // Equivalent to Parcel::enforceInterface(), reading the RPC // header with the strict mode policy mask and the interface name. // Note that we ignore the strict_policy and don't propagate it // further (since we do no outbound RPCs anyway). strict_policy = bio_get_uint32(msg); switch(txn->code) { case HELLO_SVR_CMD_SAYHELLO: sayhello(); return 0; case HELLO_SVR_CMD_SAYHELLO_TO: /* 從msg里取出字符串 */ s = bio_get_string16(msg, &len); if (s == NULL) { return -1; } for (i = 0; i < len; i++) name[i] = s[i]; name[i] = '\0'; /* 處理 */ i = sayhello_to(name); /* 把結果放入reply */ bio_put_uint32(reply, i); break; default: fprintf(stderr, "unknown code %d\n", txn->code); return -1; } return 0; } int goodbye_service_handler(struct binder_state *bs, struct binder_transaction_data *txn, struct binder_io *msg, struct binder_io *reply) { /* 根據txn->code知道要調用哪一個函數 * 如果需要參數, 可以從msg取出 * 如果要返回結果, 可以把結果放入reply */ /* sayhello * sayhello_to */ uint16_t *s; char name[512]; size_t len; uint32_t handle; uint32_t strict_policy; int i; // Equivalent to Parcel::enforceInterface(), reading the RPC // header with the strict mode policy mask and the interface name. // Note that we ignore the strict_policy and don't propagate it // further (since we do no outbound RPCs anyway). strict_policy = bio_get_uint32(msg); switch(txn->code) { case GOODBYE_SVR_CMD_SAYGOODBYE: saygoodbye(); return 0; case GOODBYE_SVR_CMD_SAYGOODBYE_TO: /* 從msg里取出字符串 */ s = bio_get_string16(msg, &len); if (s == NULL) { return -1; } for (i = 0; i < len; i++) name[i] = s[i]; name[i] = '\0'; /* 處理 */ i = saygoodbye_to(name); /* 把結果放入reply */ bio_put_uint32(reply, i); break; default: fprintf(stderr, "unknown code %d\n", txn->code); return -1; } return 0; } int test_server_handler(struct binder_state *bs, struct binder_transaction_data *txn, struct binder_io *msg, struct binder_io *reply) { int (*handler)(struct binder_state *bs, struct binder_transaction_data *txn, struct binder_io *msg, struct binder_io *reply); handler = (int (*)(struct binder_state *bs, struct binder_transaction_data *txn, struct binder_io *msg, struct binder_io *reply))txn->target.ptr; return handler(bs, txn, msg, reply); } int main(int argc, char **argv) { int fd; struct binder_state *bs; uint32_t svcmgr = BINDER_SERVICE_MANAGER; uint32_t handle; int ret; bs = binder_open(128*1024); if (!bs) { fprintf(stderr, "failed to open binder driver\n"); return -1; } /* add service */ ret = svcmgr_publish(bs, svcmgr, "hello", hello_service_handler); if (ret) { fprintf(stderr, "failed to publish hello service\n"); return -1; } ret = svcmgr_publish(bs, svcmgr, "goodbye", goodbye_service_handler); if (ret) { fprintf(stderr, "failed to publish goodbye service\n"); } #if 0 while (1) { /* read data */ /* parse data, and process */ /* reply */ } #endif binder_set_maxthreads(bs, 10); binder_loop(bs, test_server_handler); return 0; }
test_client.c
/* Copyright 2008 The Android Open Source Project */ #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <linux/types.h> #include<stdbool.h> #include <string.h> #include <private/android_filesystem_config.h> #include "binder.h" #include "test_server.h" uint32_t svcmgr_lookup(struct binder_state *bs, uint32_t target, const char *name) { uint32_t handle; unsigned iodata[512/4]; struct binder_io msg, reply; bio_init(&msg, iodata, sizeof(iodata), 4); bio_put_uint32(&msg, 0); // strict mode header bio_put_string16_x(&msg, SVC_MGR_NAME); bio_put_string16_x(&msg, name); if (binder_call(bs, &msg, &reply, target, SVC_MGR_CHECK_SERVICE)) return 0; handle = bio_get_ref(&reply); if (handle) binder_acquire(bs, handle); binder_done(bs, &msg, &reply); return handle; } struct binder_state *g_bs; uint32_t g_hello_handle; uint32_t g_goodbye_handle; void sayhello(void) { unsigned iodata[512/4]; struct binder_io msg, reply; /* 構造binder_io */ bio_init(&msg, iodata, sizeof(iodata), 4); /*這是寫入的一個垃圾數據,沒有使用*/ bio_put_uint32(&msg, 0); // strict mode header /* 放入參數 */ /* 調用binder_call */ if (binder_call(g_bs, &msg, &reply, g_hello_handle, HELLO_SVR_CMD_SAYHELLO)) return ; /* 從reply中解析出返回值 */ binder_done(g_bs, &msg, &reply); } int sayhello_to(char *name) { unsigned iodata[512/4]; struct binder_io msg, reply; int ret; /* 構造binder_io */ bio_init(&msg, iodata, sizeof(iodata), 4); bio_put_uint32(&msg, 0); // strict mode header /* 放入參數 */ bio_put_string16_x(&msg, name); /* 調用binder_call */ if (binder_call(g_bs, &msg, &reply, g_hello_handle, HELLO_SVR_CMD_SAYHELLO_TO)) return 0; /* 從reply中解析出返回值 */ ret = bio_get_uint32(&reply); binder_done(g_bs, &msg, &reply); return ret; } void saygoodbye(void) { unsigned iodata[512/4]; struct binder_io msg, reply; /* 構造binder_io */ bio_init(&msg, iodata, sizeof(iodata), 4); bio_put_uint32(&msg, 0); // strict mode header /* 放入參數 */ /* 調用binder_call */ if (binder_call(g_bs, &msg, &reply, g_goodbye_handle, GOODBYE_SVR_CMD_SAYGOODBYE)) return ; /* 從reply中解析出返回值 */ binder_done(g_bs, &msg, &reply); } int saygoodbye_to(char *name) { unsigned iodata[512/4]; struct binder_io msg, reply; int ret; /* 構造binder_io */ bio_init(&msg, iodata, sizeof(iodata), 4); bio_put_uint32(&msg, 0); // strict mode header /* 放入參數 */ bio_put_string16_x(&msg, name); /* 調用binder_call */ if (binder_call(g_bs, &msg, &reply, g_goodbye_handle, GOODBYE_SVR_CMD_SAYGOODBYE_TO)) return 0; /* 從reply中解析出返回值 */ ret = bio_get_uint32(&reply); binder_done(g_bs, &msg, &reply); return ret; } /* ./test_client hello * ./test_client hello <name> */ int main(int argc, char **argv) { int fd; struct binder_state *bs; uint32_t svcmgr = BINDER_SERVICE_MANAGER; uint32_t handle; int ret; if (argc < 2){ fprintf(stderr, "Usage:\n"); fprintf(stderr, "%s <hello|goodbye>\n", argv[0]); fprintf(stderr, "%s <hello|goodbye> <name>\n", argv[0]); return -1; } bs = binder_open(128*1024); if (!bs) { fprintf(stderr, "failed to open binder driver\n"); return -1; } g_bs = bs; /* get service */ handle = svcmgr_lookup(bs, svcmgr, "goodbye"); if (!handle) { fprintf(stderr, "failed to get goodbye service\n"); return -1; } g_goodbye_handle = handle; fprintf(stderr, "Handle for goodbye service = %d\n", g_goodbye_handle); handle = svcmgr_lookup(bs, svcmgr, "hello"); if (!handle) { fprintf(stderr, "failed to get hello service\n"); return -1; } g_hello_handle = handle; fprintf(stderr, "Handle for hello service = %d\n", g_hello_handle); /* send data to server */ if (!strcmp(argv[1], "hello")) { if (argc == 2) { sayhello(); } else if (argc == 3) { ret = sayhello_to(argv[2]); fprintf(stderr, "get ret of sayhello_to = %d\n", ret); } } else if (!strcmp(argv[1], "goodbye")) { if (argc == 2) { saygoodbye(); } else if (argc == 3) { ret = saygoodbye_to(argv[2]); fprintf(stderr, "get ret of sayhello_to = %d\n", ret); } } binder_release(bs, handle); return 0; }
代碼:http://github.com/weidongshan/APP_0003_Binder_C_App.git
修改的加打印的驅動:http://github.com/weidongshan/DRV_0003_Binder.git
優秀博文:
Android Binder的設計與實現: http://blog.csdn.net/universus/article/details/6211589
binder雙向傳輸棧分析:http://www.cnblogs.com/samchen2009/p/3316001.html