HwServiceManager篇-Android10.0 HwBinder通信原理(五)
摘要:本节主要来讲解Android10.0 HwServiceManager的通信原理
阅读本文大约需要花费34分钟。
文章首发微信公众号:IngresGe
专注于Android系统级源码分析,Android的平台设计,欢迎关注我,谢谢!
欢迎关注我的公众号!
[Android取经之路] 的源码都基于Android-Q(10.0) 进行分析
[Android取经之路] 系列文章:
《系统启动篇》
- Android系统架构
- Android是怎么启动的
- Android 10.0系统启动之init进程
- Android10.0系统启动之Zygote进程
- Android 10.0 系统启动之SystemServer进程
- Android 10.0 系统服务之ActivityMnagerService
- Android10.0系统启动之Launcher(桌面)启动流程
- Android10.0应用进程创建过程以及Zygote的fork流程
- Android 10.0 PackageManagerService(一)工作原理及启动流程
- Android 10.0 PackageManagerService(二)权限扫描
- Android 10.0 PackageManagerService(三)APK扫描
- Android 10.0 PackageManagerService(四)APK安装流程
《日志系统篇》
- Android10.0 日志系统分析(一)-logd、logcat 指令说明、分类和属性
- Android10.0 日志系统分析(二)-logd、logcat架构分析及日志系统初始化
- Android10.0 日志系统分析(三)-logd、logcat读写日志源码分析
- Android10.0 日志系统分析(四)-selinux、kernel日志在logd中的实现
《Binder通信原理》:
- Android10.0 Binder通信原理(一)Binder、HwBinder、VndBinder概要
- Android10.0 Binder通信原理(二)-Binder入门篇
- Android10.0 Binder通信原理(三)-ServiceManager篇
- Android10.0 Binder通信原理(四)-Native-C\C++实例分析
- Android10.0 Binder通信原理(五)-Binder驱动分析
- Android10.0 Binder通信原理(六)-Binder数据如何完成定向打击
- Android10.0 Binder通信原理(七)-Framework binder示例
- Android10.0 Binder通信原理(八)-Framework层分析
- Android10.0 Binder通信原理(九)-AIDL Binder示例
- Android10.0 Binder通信原理(十)-AIDL原理分析-Proxy-Stub设计模式
- Android10.0 Binder通信原理(十一)-Binder总结
《HwBinder通信原理》
- HwBinder入门篇-Android10.0 HwBinder通信原理(一)
- HIDL详解-Android10.0 HwBinder通信原理(二)
- HIDL示例-C++服务创建Client验证-Android10.0 HwBinder通信原理(三)
- HIDL示例-JAVA服务创建-Client验证-Android10.0 HwBinder通信原理(四)
- HwServiceManager篇-Android10.0 HwBinder通信原理(五)
- Native层HIDL服务的注册原理-Android10.0 HwBinder通信原理(六)
- Native层HIDL服务的获取原理-Android10.0 HwBinder通信原理(七)
- JAVA层HIDL服务的注册原理-Android10.0 HwBinder通信原理(八)
- JAVA层HIDL服务的获取原理-Android10.0 HwBinder通信原理(九)
- HwBinder驱动篇-Android10.0 HwBinder通信原理(十)
- HwBinder原理总结-Android10.0 HwBinder通信原理(十一)
《编译原理》
- 编译系统入门篇-Android10.0编译系统(一)
- 编译环境初始化-Android10.0编译系统(二)
- make编译过程-Android10.0编译系统(三)
- Image打包流程-Android10.0编译系统(四)
- Kati详解-Android10.0编译系统(五)
1.概述
HwServiceManager是HAL服务管理中心,负责管理系统中的所有HAL服务,由init进程启动。
HwServiceManager 的主要工作就是收集各个硬件服务,当有进程需要服务时由HwServiceManager 提供特定的硬件服务。
2.HwBinder架构
HwBinder通信原理:
3.hwservicemanager的启动
在init.rc中,当init进程启动后,会去启动servicemanager、hwservicemanager、vndservicemanager 三个binder的守护进程
[/system/core/rootdir/init.rc]
on init...start servicemanagerstart hwservicemanagerstart vndservicemanager
hwservicemanager.rc 文件如下:
[/system/hwservicemanager/hwservicemanager.rc]
service hwservicemanager /system/bin/hwservicemanageruser systemdisabledgroup system readproccriticalonrestart setprop hwservicemanager.ready false //重启后,需要把属性hwservicemanager.ready设置为falseonrestart class_restart mainonrestart class_restart halonrestart class_restart early_halwritepid /dev/cpuset/system-background/tasksclass animationshutdown critical
4.HwServiceManager调用栈
在分析源码之前,我们先来看下上下文的粗略调用关系,HwServiceManager的调用栈信息如下:
5.源码分析
下面我们正式进入HwServiceManager的源码分析。
HwServiceManager时序图如下:
5.1 main()
HwServiceManager 启动时主要需要完成以下几件事情:
将ServiceManager、TokenManager 注册到mServiceMap表中
根据ServiceManager找到为Binder对象,得到的Binder对象为BnHwServiceManager,最终转换为本地的Binder对象-BHwBinder,为后续流程处理做准备
初始化/dev/hwbinder驱动,为其分配一块虚拟内存用于IPC数据交换
向hwbinder注册HAL服务管家(IPC上下文管理者)
进入死循环,调用epoll_wait() 监听/dev/hwbinder是否有数据可读,如有则调用回调执行指令,根据client传入的code,从而调用get()\add()\addWithChain()\list() 等接口,来查询、注册hwbinder的hal服务
[/system/hwservicemanager/service.cpp]
int main() {// If hwservicemanager crashes, the system may be unstable and hard to debug. This is both why// we log this and why we care about this at all.setProcessHidlReturnRestriction(HidlReturnRestriction::ERROR_IF_UNCHECKED);//1.创建ServiceManager对象,继承自IServiceManager,采用sp强指针来进行内存自动释放sp<ServiceManager> manager = new ServiceManager();setRequestingSid(manager, true);//1.1将ServiceManager对象自身注册到mServiceMap表中,参考[5.2]if (!manager->add(serviceName, manager).withDefault(false)) {ALOGE("Failed to register hwservicemanager with itself.");}//2.创建TokenManager对象sp<TokenManager> tokenManager = new TokenManager();//2.1将TokenManager对象自身注册到mServiceMap表中if (!manager->add(serviceName, tokenManager).withDefault(false)) {ALOGE("Failed to register ITokenManager with hwservicemanager.");}//3.告诉IPCThreadState,我们是ServiceManager,// Tell IPCThreadState we're the service manager//根据ServiceManager找到为Binder对象,得到的Binder对象为BnHwServiceManager, 参考[5.3]sp<IBinder> binder = toBinder<IServiceManager>(manager);//把binder对象BnHwServiceManager转换为BHwBinder 本地binder对象sp<BHwBinder> service = static_cast<BHwBinder*>(binder.get()); // local binder object//把服务对象传给IPCThreadState,作为Context ObjectIPCThreadState::self()->setTheContextObject(service);//4.通知 binder 驱动,这个进程是服务管理器进程// Then tell the kernelProcessState::self()->becomeContextManager(nullptr, nullptr);//设置属性:hwservicemanager.ready 为trueint rc = property_set("hwservicemanager.ready", "true");if (rc) {ALOGE("Failed to set \"hwservicemanager.ready\" (error %d). "\"HAL services will not start!\n", rc);}//5.其他进程通过 hwservicemanager.ready 属性得知 HwServiceManager 进程是否准备完毕sp<Looper> looper = Looper::prepare(0 /* opts */);//6.把HwBinderCallback作为回调,注册进入Lopper,用来做后续的lopper处理(void)HwBinderCallback::setupTo(looper);//7.把ClientCallbackCallback作为回调,注册进入Lopper,其中创建了一个定时器对象,5秒跑一次(void)ClientCallbackCallback::setupTo(looper, manager);ALOGI("hwservicemanager is ready now.");//8.进入死循环,调用 epoll_wait()等待消息while (true) {looper->pollAll(-1 /* timeoutMillis */);}return 0;
}
接下来针对main()的整个流程做拆解分析。
5.2 ServiceManager::add()
将ServiceManager、TokenManager 注册到mServiceMap表中
[/system/hwservicemanager/ServiceManager.cpp]
Return<bool> ServiceManager::add(const hidl_string& name, const sp<IBase>& service) {bool addSuccess = false;if (service == nullptr) {return false;}//1.获取当前binder调用的pid、sid 上下文信息,参考[5.2.1]auto pidcon = getBinderCallingContext();//从IServiceManager中得到几组descriptor字符串auto ret = service->interfaceChain([&](const auto &interfaceChain) {//2.参考[5.2.7]addSuccess = addImpl(name, service, interfaceChain, pidcon);});if (!ret.isOk()) {LOG(ERROR) << "Failed to retrieve interface chain: " << ret.description();return false;}return addSuccess;
}
[/out/soong/.intermediates/system/libhidl/transport/manager/1.0/android.hidl.manager@1.0_genc++/gen/android/hidl/manager/1.2/ServiceManagerAll.cpp]
::android::hardware::Return<void> IServiceManager::interfaceChain(interfaceChain_cb _hidl_cb){_hidl_cb({::android::hidl::manager::V1_0::IServiceManager::descriptor,::android::hidl::base::V1_0::IBase::descriptor,});return ::android::hardware::Void();}::android::hardware::Return<void> IServiceManager::interfaceChain(interfaceChain_cb _hidl_cb){_hidl_cb({::android::hidl::manager::V1_1::IServiceManager::descriptor,::android::hidl::manager::V1_0::IServiceManager::descriptor,::android::hidl::base::V1_0::IBase::descriptor,});return ::android::hardware::Void();}::android::hardware::Return<void> IServiceManager::interfaceChain(interfaceChain_cb _hidl_cb){_hidl_cb({::android::hidl::manager::V1_2::IServiceManager::descriptor,::android::hidl::manager::V1_1::IServiceManager::descriptor,::android::hidl::manager::V1_0::IServiceManager::descriptor,::android::hidl::base::V1_0::IBase::descriptor,});return ::android::hardware::Void();
}
5.2.1 getBinderCallingContext()
先获取当前binder线程的对象,再获取其调用的pid、sid 上下文信息
[/system/hwservicemanager/ServiceManager.cpp]
AccessControl::CallingContext getBinderCallingContext() {//获取当前binder线程的对象,参考[5.2.2]const auto& self = IPCThreadState::self();pid_t pid = self->getCallingPid(); //得到pidconst char* sid = self->getCallingSid(); //得到sidif (sid == nullptr) {if (pid != getpid()) {android_errorWriteLog(0x534e4554, "121035042");}//如果sid为空,根据pid来得到对应的context值,返回相应结构return AccessControl::getCallingContext(pid);} else {return { true, sid, pid };}
}
5.2.2 IPCThreadState::self()
用来获取当前binder线程的对象,如果没有对象,就创建一个
[/system/libhwbinder/IPCThreadState.cpp]IPCThreadState* IPCThreadState::self()
{//1.第一次进入时,gHaveTLS为falseif (gHaveTLS) {restart://6.如果线程中有IPCThreadState数据,就返回线程中的对象, 否是新创建一个IPCThreadState的对象并返回const pthread_key_t k = gTLS;IPCThreadState* st = (IPCThreadState*)pthread_getspecific(k);if (st) return st;return new IPCThreadState; //参考[5.2.3]}//2.第一次进入时,gShutdown为falseif (gShutdown) {ALOGW("Calling IPCThreadState::self() during shutdown is dangerous, expect a crash.\n");return nullptr;}pthread_mutex_lock(&gTLSMutex); //上锁if (!gHaveTLS) {//3.创建线程私有数据int key_create_value = pthread_key_create(&gTLS, threadDestructor);if (key_create_value != 0) {pthread_mutex_unlock(&gTLSMutex);ALOGW("IPCThreadState::self() unable to create TLS key, expect a crash: %s\n",strerror(key_create_value));return nullptr;}//4.gHaveTLS置为truegHaveTLS = true;}pthread_mutex_unlock(&gTLSMutex);//解锁//5.跳转到restartgoto restart;
}
5.2.3 IPCThreadState::IPCThreadState()
用来做一些初值赋值,主要是获取ProcessState的对象,存入mProcess
[/system/libhwbinder/IPCThreadState.cpp]
IPCThreadState::IPCThreadState(): mProcess(ProcessState::self()), //参考[5.2.4]mStrictModePolicy(0),mLastTransactionBinderFlags(0),mIsLooper(false),mIsPollingThread(false),mCallRestriction(mProcess->mCallRestriction) {pthread_setspecific(gTLS, this);clearCaller();mIn.setDataCapacity(256);mOut.setDataCapacity(256);mIPCThreadStateBase = IPCThreadStateBase::self();
}
5.2.4 ProcessState::self()
这是一个单例的实现,在一个进程中,只会创建一次ProcessState对象
[/system/libhwbinder/ProcessState.cpp ]
sp<ProcessState> ProcessState::self()
{Mutex::Autolock _l(gProcessMutex);if (gProcess != nullptr) {return gProcess;}gProcess = new ProcessState(DEFAULT_BINDER_VM_SIZE); //参考[5.2.5]return gProcess;
}
5.2.5 ProcessState::ProcessState()
打开“/dev/hwbinder”,得到hwbinde句柄,赋给mDriverFD,后面该进程中就通过这个句柄和hwbinder驱动进行通信
同时,申请一块(1M-8K)的虚拟内存空间,用来接收事务
[/system/libhwbinder/ProcessState.cpp ]
ProcessState::ProcessState(size_t mmap_size): mDriverFD(open_driver()) //打开“/dev/hwbinder”,得到hwbinde句柄,赋给mDriverFD, mVMStart(MAP_FAILED), mThreadCountLock(PTHREAD_MUTEX_INITIALIZER), mThreadCountDecrement(PTHREAD_COND_INITIALIZER), mExecutingThreadsCount(0), mMaxThreads(DEFAULT_MAX_BINDER_THREADS) //默认的最大binder线程个数,这里为0, mStarvationStartTimeMs(0), mManagesContexts(false), mBinderContextCheckFunc(nullptr), mBinderContextUserData(nullptr), mThreadPoolStarted(false), mSpawnThreadOnStart(true), mThreadPoolSeq(1), mMmapSize(mmap_size), mCallRestriction(CallRestriction::NONE)
{if (mDriverFD >= 0) {// mmap the binder, providing a chunk of virtual address space to receive transactions.//申请一块(1M-8K)的虚拟内存空间,用来接收事务mVMStart = mmap(nullptr, mMmapSize, PROT_READ, MAP_PRIVATE | MAP_NORESERVE, mDriverFD, 0);if (mVMStart == MAP_FAILED) {// *sigh*ALOGE("Mmapping /dev/hwbinder failed: %s\n", strerror(errno));close(mDriverFD);mDriverFD = -1;}}else {ALOGE("Binder driver could not be opened. Terminating.");}
}
5.2.6 open_driver()
打开/dev/hwbinder驱动,比较binder比较协议版本是否相同,不同则跳出,同时设置最大的binder线程个数
[/system/libhwbinder/ProcessState.cpp]
static int open_driver()
{//1.打开hwinder设备驱动,陷入内核int fd = open("/dev/hwbinder", O_RDWR | O_CLOEXEC);if (fd >= 0) {int vers = 0;//2.获取Binder的版本信息status_t result = ioctl(fd, BINDER_VERSION, &vers);if (result == -1) {ALOGE("Binder ioctl to obtain version failed: %s", strerror(errno));close(fd);fd = -1;}//3.比较协议版本是否相同,不同则跳出if (result != 0 || vers != BINDER_CURRENT_PROTOCOL_VERSION) {ALOGE("Binder driver protocol(%d) does not match user space protocol(%d)!", vers, BINDER_CURRENT_PROTOCOL_VERSION);close(fd);fd = -1;}//3.设置binder最大线程个数size_t maxThreads = DEFAULT_MAX_BINDER_THREADS;result = ioctl(fd, BINDER_SET_MAX_THREADS, &maxThreads);if (result == -1) {ALOGE("Binder ioctl to set max threads failed: %s", strerror(errno));}} else {ALOGW("Opening '/dev/hwbinder' failed: %s\n", strerror(errno));}return fd;
}
5.2.7 ServiceManager::addImpl()
获取当前binder调用的pid、sid 上下文信息后,开始注册ServiceManager自身,即把ServiceManager对象注册到mServiceMap中
在过程中,要进行selinux检查,确认该进程有权限添加service后,再检查是否有重复注册,而且如果子类在父类上注册,则注销它,
排除一切问题后,把需要注册的服务,注册到mServiceMap中,最后建立一个死亡连接,当服务挂掉时会接收到通知,做一些清理工作。
bool ServiceManager::addImpl(const std::string& name,const sp<IBase>& service,const hidl_vec<hidl_string>& interfaceChain,const AccessControl::CallingContext& callingContext) {//传入的interfaceChain size大于0if (interfaceChain.size() == 0) {LOG(WARNING) << "Empty interface chain for " << name;return false;}//1.首先,检查是否有权限来否允许add()整个接口层次结构,最终调用的是selinux_check_access来检查,是否有 hwservice_manager的权限for(size_t i = 0; i < interfaceChain.size(); i++) {const std::string fqName = interfaceChain[i];if (!mAcl.canAdd(fqName, callingContext)) {return false;}}// 2.检查是否有重复注册if (interfaceChain.size() > 1) {// 倒数第二的条目应该是除IBase之外的最高基类。const std::string baseFqName = interfaceChain[interfaceChain.size() - 2];const HidlService *hidlService = lookup(baseFqName, name);if (hidlService != nullptr && hidlService->getService() != nullptr) {// This shouldn't occur during normal operation. Here are some cases where// it might get hit:// - bad configuration (service installed on device multiple times)// - race between death notification and a new service being registered// (previous logs should indicate a separate problem)const std::string childFqName = interfaceChain[0];pid_t newServicePid = IPCThreadState::self()->getCallingPid();pid_t oldServicePid = hidlService->getDebugPid();LOG(WARNING) << "Detected instance of " << childFqName << " (pid: " << newServicePid<< ") registering over instance of or with base of " << baseFqName << " (pid: "<< oldServicePid << ").";}}// 3.如果子类在父类上注册,则注销它{// For IBar extends IFoo if IFoo/default is being registered, remove// IBar/default. This makes sure the following two things are equivalent// 1). IBar::castFrom(IFoo::getService(X))// 2). IBar::getService(X)// assuming that IBar is declared in the device manifest and there// is also not an IBaz extends IFoo and there is no race.const std::string childFqName = interfaceChain[0];const HidlService *hidlService = lookup(childFqName, name);if (hidlService != nullptr) {const sp<IBase> remove = hidlService->getService();if (remove != nullptr) {const std::string instanceName = name;removeService(remove, &instanceName /* restrictToInstanceName */);}}}// 4.排除问题后,把需要注册的服务,注册到mServiceMap中for(size_t i = 0; i < interfaceChain.size(); i++) {const std::string fqName = interfaceChain[i];PackageInterfaceMap &ifaceMap = mServiceMap[fqName];HidlService *hidlService = ifaceMap.lookup(name);if (hidlService == nullptr) {//服务插入 mServiceMap,以后从这取出服务ifaceMap.insertService(std::make_unique<HidlService>(fqName, name, service, callingContext.pid));} else {hidlService->setService(service, callingContext.pid);}ifaceMap.sendPackageRegistrationNotification(fqName, name);}//建立一个死亡连接,当服务挂掉时会接收到通知,做一些清理工作bool linkRet = service->linkToDeath(this, kServiceDiedCookie).withDefault(false);if (!linkRet) {LOG(ERROR) << "Could not link to death for " << interfaceChain[0] << "/" << name;}return true;
}
5.3 toBinder()
根据ServiceManager找到对应的Binder对象,最终找到的Binder对象为BnHwServiceManager
[\system\libhidl\transport\include\hidl\HidlBinderSupport.h]
sp<IBinder> toBinder(sp<IType> iface) {IType *ifacePtr = iface.get();return getOrCreateCachedBinder(ifacePtr);
}
转换一下:
sp<IBinder> toBinder(sp<IServiceManager> manager) {IServiceManager *ifacePtr = manager.get(); //得到一个IServiceManager服务对象return getOrCreateCachedBinder(ifacePtr);
}
[\system\libhidl\transport\include\hidl\HidlBinderSupport.cpp]
sp<IBinder> getOrCreateCachedBinder(::android::hidl::base::V1_0::IBase* ifacePtr) {if (ifacePtr == nullptr) {return nullptr;}这里首先判断hal对象是否是BpHwxxx 远程Binder,如果是,直接返回remote的BpHwBinder对象if (ifacePtr->isRemote()) {using ::android::hidl::base::V1_0::BpHwBase;BpHwBase* bpBase = static_cast<BpHwBase*>(ifacePtr);BpHwRefBase* bpRefBase = static_cast<BpHwRefBase*>(bpBase);return sp<IBinder>(bpRefBase->remote());}//获得IServiceManager的descriptionstd::string descriptor = details::getDescriptor(ifacePtr);if (descriptor.empty()) {// interfaceDescriptor failsreturn nullptr;}// for get + setstd::unique_lock<std::mutex> _lock = details::gBnMap->lock();wp<BHwBinder> wBnObj = details::gBnMap->getLocked(ifacePtr, nullptr);sp<IBinder> sBnObj = wBnObj.promote();if (sBnObj == nullptr) {//获取BnConstructorMap的map对象auto func = details::getBnConstructorMap().get(descriptor, nullptr);if (!func) {// TODO(b/69122224): remove this static variable when prebuilts updatedfunc = details::gBnConstructorMap->get(descriptor, nullptr);}LOG_ALWAYS_FATAL_IF(func == nullptr, "%s gBnConstructorMap returned null for %s", __func__,descriptor.c_str());//强转为一个IBinder的强指针对象sBnObj = sp<IBinder>(func(static_cast<void*>(ifacePtr)));LOG_ALWAYS_FATAL_IF(sBnObj == nullptr, "%s Bn constructor function returned null for %s",__func__, descriptor.c_str());details::gBnMap->setLocked(ifacePtr, static_cast<BHwBinder*>(sBnObj.get()));}return sBnObj;
}
这里就有一个疑问getBnConstructorMap()获取的Binder对象,是从哪里来的呢?
这里传入的description是IServiceManager的description,所以我们回到IServiceManager的实现中去,在ServiceManagerAll.cpp的开头有下面这么一段:
[/out/soong/.intermediates/system/libhidl/transport/manager/1.0/android.hidl.manager@1.0_genc++/gen/android/hidl/manager/1.2/ServiceManagerAll.cpp]
__attribute__((constructor)) static void static_constructor() {::android::hardware::details::getBnConstructorMap().set(IServiceManager::descriptor,[](void *iIntf) -> ::android::sp<::android::hardware::IBinder> {return new BnHwServiceManager(static_cast<IServiceManager *>(iIntf));});::android::hardware::details::getBsConstructorMap().set(IServiceManager::descriptor,[](void *iIntf) -> ::android::sp<::android::hidl::base::V1_0::IBase> {return new BsServiceManager(static_cast<IServiceManager *>(iIntf));});
};
__attribute__((constructor)) 不是标准C++,他是GCC的一种扩展属性函数。constructor属性使得函数在执行进入main()之前被自动调用。
所以在HwServiceManager进程中,在serviec.cpp的main()函数执行之前会先执行__attribute__((constructor))中的内容,从这里可以看到__attribute__((constructor)) 中把 BnHwServiceManager 对象和BsServiceManager对象,分别插入了BnConstructorMap 和BsConstructorMap的map中,
当main()启动后,其他函数调用getBnConstructorMap().get()时,就能获得BnHwServiceManager对象,所以我们这里的getOrCreateCachedBinder()最终获得的Binder对象就是BnHwServiceManager。
BnHwServiceManager类继承关系如下图展示:
5.4 ProcessState::becomeContextManager()
让HwServiceManager成为整个系统中唯一的上下文管理器,其实也就是service管理器,这样我们就可以把HwServiceManager称之为守护进程。
bool ProcessState::becomeContextManager(context_check_func checkFunc, void* userData)
{if (!mManagesContexts) {AutoMutex _l(mLock);mBinderContextCheckFunc = checkFunc;mBinderContextUserData = userData;flat_binder_object obj {.flags = FLAT_BINDER_FLAG_TXN_SECURITY_CTX,};//Android10.0 中引入BINDER_SET_CONTEXT_MGR_EXT,用来把HwServiecManager设置成为安全的上下文,status_t result = ioctl(mDriverFD, BINDER_SET_CONTEXT_MGR_EXT, &obj);// fallback to original methodif (result != 0) {android_errorWriteLog(0x534e4554, "121035042");int dummy = 0;//如果安全上下文设置失败,继续使用原有的BINDER_SET_CONTEXT_MGR来进行控制result = ioctl(mDriverFD, BINDER_SET_CONTEXT_MGR, &dummy);}if (result == 0) {mManagesContexts = true;} else if (result == -1) {mBinderContextCheckFunc = nullptr;mBinderContextUserData = nullptr;ALOGE("Binder ioctl to become context manager failed: %s\n", strerror(errno));}}return mManagesContexts;
}
5.5 HwBinderCallback::setupTo()
调用栈:
setupTo()主要是把HwBinderCallback对象作为回调,加入到Lopper中,fd为之前打开的hwbinder句柄,ident:POLL_CALLBACK, events:EVENT_INPUT,调用epoll_ctl()来监听fd的变化,为后面回调处理做准备。
[/system/hwservicemanager/service.cpp]
static sp<HwBinderCallback> setupTo(const sp<Looper>& looper) {//1.拿到HwBinderCallback对象sp<HwBinderCallback> cb = new HwBinderCallback;//2.获取到之前得到的open("/dev/hwbinder")的句柄mProcess->mDriverFD,配置一个1线程,mOut写入一个参数 BC_ENTER_LOOPER//参考[5.5.1]int fdHwBinder = setupTransportPolling();LOG_ALWAYS_FATAL_IF(fdHwBinder < 0, "Failed to setupTransportPolling: %d", fdHwBinder);// Flush after setupPolling(), to make sure the binder driver// knows about this thread handling commands.//3.其中最终调用的是talkWithDriver(),用来把前面的code:BC_ENTER_LOOPER发给binder驱动,参考[5.5.2]IPCThreadState::self()->flushCommands();//把HwBinderCallback作为回调加入到Looper的,IPC请求回调,有数据时会调用该回调进行处理int ret = looper->addFd(fdHwBinder,Looper::POLL_CALLBACK,Looper::EVENT_INPUT,cb,nullptr /*data*/);LOG_ALWAYS_FATAL_IF(ret != 1, "Failed to add binder FD to Looper");return cb;
}
5.5.1 setupPolling()
根据setupTo()的调用栈可知,setupTransportPolling最终会调到setupPolling(),主要用来配置一个hwbinder线程,往mOut写入一个code:BC_ENTER_LOOPER,用来后面和hwbinder进行通信,再把hwbinder的句柄赋值给fd
[/system/libhwbinder/IPCThreadState.cpp]
int IPCThreadState::setupPolling(int* fd)
{if (mProcess->mDriverFD <= 0) {return -EBADF;}// Tells the kernel to not spawn any additional binder threads,// as that won't work with polling. Also, the caller is responsible// for subsequently calling handlePolledCommands()//配置hwbinder信息信息mProcess->setThreadPoolConfiguration(1, true /* callerWillJoin */);mIsPollingThread = true;mOut.writeInt32(BC_ENTER_LOOPER); //把BC_ENTER_LOOPER 写入mOut*fd = mProcess->mDriverFD; //获取hwbinder句柄赋值return 0;
}
5.5.2 IPCThreadState::talkWithDriver()
这里主要是把之前mOut的内容(code:BC_ENTER_LOOPER)写入hwbinder驱动,从binder驱动读入返回值,存入mIn
[/system/libhwbinder/IPCThreadState.cpp]
status_t IPCThreadState::talkWithDriver(bool doReceive)
{if (mProcess->mDriverFD <= 0) {return -EBADF;}binder_write_read bwr; //准备一个write_read 结构,用来向hwbinder驱动发送数据// Is the read buffer empty?const bool needRead = mIn.dataPosition() >= mIn.dataSize();// We don't want to write anything if we are still reading// from data left in the input buffer and the caller// has requested to read the next data.const size_t outAvail = (!doReceive || needRead) ? mOut.dataSize() : 0;bwr.write_size = outAvail;bwr.write_buffer = (uintptr_t)mOut.data(); 把mOut的数据存入 write_buffer中,code:BC_ENTER_LOOPER// doReceive为false,这次负责write,不用readif (doReceive && needRead) {//接收数据缓冲区信息的填充。如果以后收到数据,就直接填在mIn中了bwr.read_size = mIn.dataCapacity();bwr.read_buffer = (uintptr_t)mIn.data();} else {//没有收到数据时,把read置空,binder只进行write处理bwr.read_size = 0;bwr.read_buffer = 0;}//当读缓冲和写缓冲都为空,则直接返回if ((bwr.write_size == 0) && (bwr.read_size == 0)) return NO_ERROR;bwr.write_consumed = 0;bwr.read_consumed = 0;status_t err;do {
#if defined(__ANDROID__)///通过ioctl不停的读写操作,跟hwbinder驱动进行通信if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0)err = NO_ERROR;elseerr = -errno;
#elseerr = INVALID_OPERATION;
#endifif (mProcess->mDriverFD <= 0) {err = -EBADF;}} while (err == -EINTR); //当被中断,则继续执行...if (err >= NO_ERROR) {if (bwr.write_consumed > 0) {if (bwr.write_consumed < mOut.dataSize())mOut.remove(0, bwr.write_consumed);else {mOut.setDataSize(0);processPostWriteDerefs();}}//当从binder驱动读到内容后,存入mInif (bwr.read_consumed > 0) {mIn.setDataSize(bwr.read_consumed);mIn.setDataPosition(0);}...return NO_ERROR;}return err;
}
5.5.3 Looper::addFd()
fd放入线程epoll中,epoll_wait等待时,当fd有数据接入,我们就可以处理相应的数据
[/system/core/libutils/Looper.cpp]
int Looper::addFd(int fd, int ident, int events, const sp<LooperCallback>& callback, void* data) {if (!callback.get()) {if (! mAllowNonCallbacks) {ALOGE("Invalid attempt to set NULL callback but not allowed for this looper.");return -1;}if (ident < 0) {ALOGE("Invalid attempt to set NULL callback with ident < 0.");return -1;}} else {ident = POLL_CALLBACK;}{ // acquire lockAutoMutex _l(mLock);Request request;request.fd = fd;request.ident = ident;request.events = events;request.seq = mNextRequestSeq++;request.callback = callback;request.data = data;if (mNextRequestSeq == -1) mNextRequestSeq = 0; // reserve sequence number -1struct epoll_event eventItem;request.initEventItem(&eventItem);ssize_t requestIndex = mRequests.indexOfKey(fd);if (requestIndex < 0) {// requestIndex < 0 表示之前没有添加过, 添加 epoll 监听fdint epollResult = epoll_ctl(mEpollFd.get(), EPOLL_CTL_ADD, fd, &eventItem);if (epollResult < 0) {ALOGE("Error adding epoll events for fd %d: %s", fd, strerror(errno));return -1;}//把之前的cb赋值的request存入mRequests,供后续调用mRequests.add(fd, request);} else {// 表示之前有添加过,更新epollint epollResult = epoll_ctl(mEpollFd.get(), EPOLL_CTL_MOD, fd, &eventItem);if (epollResult < 0) {if (errno == ENOENT) {...epollResult = epoll_ctl(mEpollFd.get(), EPOLL_CTL_ADD, fd, &eventItem);if (epollResult < 0) {ALOGE("Error modifying or adding epoll events for fd %d: %s",fd, strerror(errno));return -1;}scheduleEpollRebuildLocked();} else {ALOGE("Error modifying epoll events for fd %d: %s", fd, strerror(errno));return -1;}}mRequests.replaceValueAt(requestIndex, request);}} // release lockreturn 1;
}
5.6 ClientCallbackCallback::setupTo()
把ClientCallbackCallback 加入Lopper,存入全局列表mRequests中,epoll监听fdTimer的变化
[/system/hwservicemanager/service.cpp]
class ClientCallbackCallback : public LooperCallback {
public:static sp<ClientCallbackCallback> setupTo(const sp<Looper>& looper, const sp<ServiceManager>& manager) {sp<ClientCallbackCallback> cb = new ClientCallbackCallback(manager);//创建一个定时器int fdTimer = timerfd_create(CLOCK_MONOTONIC, 0 /*flags*/);LOG_ALWAYS_FATAL_IF(fdTimer < 0, "Failed to timerfd_create: fd: %d err: %d", fdTimer, errno);itimerspec timespec {.it_interval = {.tv_sec = 5, //设置查询周期为5秒.tv_nsec = 0,},.it_value = {.tv_sec = 5, //设置超时为5秒.tv_nsec = 0,},};int timeRes = timerfd_settime(fdTimer, 0 /*flags*/, ×pec, nullptr);LOG_ALWAYS_FATAL_IF(timeRes < 0, "Failed to timerfd_settime: res: %d err: %d", timeRes, errno);//把ClientCallbackCallback 加入Lopper,存入全局列表mRequests中int addRes = looper->addFd(fdTimer,Looper::POLL_CALLBACK,Looper::EVENT_INPUT,cb,nullptr);LOG_ALWAYS_FATAL_IF(addRes != 1, "Failed to add client callback FD to Looper");return cb;}
};
5.7 pollAll()
HwServiceManager 会启动一个死循环来等待事件、分析时间,这个等待的入口就是pollAll(),先简略的看一下pollAll()的上下文关系。
pollAll()的调用栈如下:
传入的timeoutMillis为-1
[/system/core/libutils/Looper.cpp]
inline int pollAll(int timeoutMillis) {return pollAll(timeoutMillis, nullptr, nullptr, nullptr);
}int Looper::pollAll(int timeoutMillis, int* outFd, int* outEvents, void** outData) {if (timeoutMillis <= 0) {int result;do {//传入的timeoutMillis为-1,走该流程,调用pollOnce() 参考[5.7.1]result = pollOnce(timeoutMillis, outFd, outEvents, outData);} while (result == POLL_CALLBACK);return result;} else {nsecs_t endTime = systemTime(SYSTEM_TIME_MONOTONIC)+ milliseconds_to_nanoseconds(timeoutMillis);for (;;) {int result = pollOnce(timeoutMillis, outFd, outEvents, outData);if (result != POLL_CALLBACK) {return result;}nsecs_t now = systemTime(SYSTEM_TIME_MONOTONIC);timeoutMillis = toMillisecondTimeoutDelay(now, endTime);if (timeoutMillis == 0) {return POLL_TIMEOUT;}}}
}
5.7.1 Looper::pollOnce()
检查response是否有需要处理,最终调用pollInner()
[/system/core/libutils/Looper.cpp]
int Looper::pollOnce(int timeoutMillis, int* outFd, int* outEvents, void** outData) {int result = 0;for (;;) {while (mResponseIndex < mResponses.size()) {const Response& response = mResponses.itemAt(mResponseIndex++);int ident = response.request.ident;if (ident >= 0) {int fd = response.request.fd;int events = response.events;void* data = response.request.data;...if (outFd != nullptr) *outFd = fd;if (outEvents != nullptr) *outEvents = events;if (outData != nullptr) *outData = data;return ident;}}if (result != 0) {...if (outFd != nullptr) *outFd = 0;if (outEvents != nullptr) *outEvents = 0;if (outData != nullptr) *outData = nullptr;return result;}//参考[5.7.2]result = pollInner(timeoutMillis);}
}
5.7.2 Looper::pollInner()
调用epoll_wait,等待epoll的消息,epoll_wait()类似于select()调用,监听EPOLL的事件发生,最大允许16个EPOLL事件上报,当有事件上报时,调用之前存入mRequests中的所有回调,例如HwBinderCallback 、ClientCallbackCallback 的handleEvent
[/system/core/libutils/Looper.cpp]
int Looper::pollInner(int timeoutMillis) {// Adjust the timeout based on when the next message is due.if (timeoutMillis != 0 && mNextMessageUptime != LLONG_MAX) {nsecs_t now = systemTime(SYSTEM_TIME_MONOTONIC);int messageTimeoutMillis = toMillisecondTimeoutDelay(now, mNextMessageUptime);if (messageTimeoutMillis >= 0&& (timeoutMillis < 0 || messageTimeoutMillis < timeoutMillis)) {timeoutMillis = messageTimeoutMillis;}...}// Poll.int result = POLL_WAKE;mResponses.clear();mResponseIndex = 0;// We are about to idle.mPolling = true;//1.调用epoll_wait,等待epoll的消息//epoll_wait()类似于select()调用,监听EPOLL的事件发生,最大允许16个EPOLL事件上报struct epoll_event eventItems[EPOLL_MAX_EVENTS];int eventCount = epoll_wait(mEpollFd.get(), eventItems, EPOLL_MAX_EVENTS, timeoutMillis);// No longer idling.mPolling = false;// 上锁mLock.lock();// Rebuild epoll set if needed.if (mEpollRebuildRequired) {mEpollRebuildRequired = false;rebuildEpollLocked();goto Done;}// Check for poll error.if (eventCount < 0) {if (errno == EINTR) {goto Done;}ALOGW("Poll failed with an unexpected error: %s", strerror(errno));result = POLL_ERROR;goto Done;}// Check for poll timeout.if (eventCount == 0) {
#if DEBUG_POLL_AND_WAKEALOGD("%p ~ pollOnce - timeout", this);
#endifresult = POLL_TIMEOUT;goto Done;}for (int i = 0; i < eventCount; i++) {int fd = eventItems[i].data.fd;uint32_t epollEvents = eventItems[i].events;if (fd == mWakeEventFd.get()) {if (epollEvents & EPOLLIN) {awoken();} else {ALOGW("Ignoring unexpected epoll events 0x%x on wake event fd.", epollEvents);}} else {ssize_t requestIndex = mRequests.indexOfKey(fd);if (requestIndex >= 0) {int events = 0;if (epollEvents & EPOLLIN) events |= EVENT_INPUT;if (epollEvents & EPOLLOUT) events |= EVENT_OUTPUT;if (epollEvents & EPOLLERR) events |= EVENT_ERROR;if (epollEvents & EPOLLHUP) events |= EVENT_HANGUP;//把之前HwBinderCallback 和ClientCallbackCallback 的回调,插入到mResponses中pushResponse(events, mRequests.valueAt(requestIndex));} else {ALOGW("Ignoring unexpected epoll events 0x%x on fd %d that is ""no longer registered.", epollEvents, fd);}}}
Done: ;// Invoke pending message callbacks.mNextMessageUptime = LLONG_MAX;while (mMessageEnvelopes.size() != 0) {nsecs_t now = systemTime(SYSTEM_TIME_MONOTONIC);const MessageEnvelope& messageEnvelope = mMessageEnvelopes.itemAt(0);if (messageEnvelope.uptime <= now) {// Remove the envelope from the list.// We keep a strong reference to the handler until the call to handleMessage// finishes. Then we drop it so that the handler can be deleted *before*// we reacquire our lock.{ // obtain handlersp<MessageHandler> handler = messageEnvelope.handler;Message message = messageEnvelope.message;mMessageEnvelopes.removeAt(0);mSendingMessage = true;mLock.unlock();..handler->handleMessage(message);} // release handlermLock.lock();mSendingMessage = false;result = POLL_CALLBACK;} else {// The last message left at the head of the queue determines the next wakeup time.mNextMessageUptime = messageEnvelope.uptime;break;}}//释放锁mLock.unlock();// Invoke all response callbacks.for (size_t i = 0; i < mResponses.size(); i++) {Response& response = mResponses.editItemAt(i);if (response.request.ident == POLL_CALLBACK) {int fd = response.request.fd;int events = response.events;void* data = response.request.data;...//调用之前存入mRequests中的所有回调,例如HwBinderCallback 、ClientCallbackCallback 的handleEvent//参考[5.7.3]int callbackResult = response.request.callback->handleEvent(fd, events, data);if (callbackResult == 0) {removeFd(fd, response.request.seq);}// Clear the callback reference in the response structure promptly because we// will not clear the response vector itself until the next poll.response.request.callback.clear();result = POLL_CALLBACK;}}return result;
}
我们这里以HwBinderCallback::handleEvent()为回调的handler处理为例进行分析。
5.7.3 HwBinderCallback::handleEvent()
handleEvent调用栈:
[/system/hwservicemanager/service.cpp]
class HwBinderCallback : public LooperCallback {
public:int handleEvent(int fd, int /*events*/, void* /*data*/) override {handleTransportPoll(fd);return 1; // Continue receiving callbacks.}
};
最终会调用到IPCThreadState::handlePolledCommands()
5.7.4 IPCThreadState::handlePolledCommands()
从hwbinder去除命令并执行命令,最后将mOut的数据写入hwbinder驱动
[/system/libhwbinder/IPCThreadState.cpp]
status_t IPCThreadState::handlePolledCommands()
{status_t result;do {//1.获取命令,并执行它, 参考[5.7.5]result = getAndExecuteCommand();} while (mIn.dataPosition() < mIn.dataSize());processPendingDerefs();flushCommands();return result;
}
5.7.5 IPCThreadState::getAndExecuteCommand()
从hwbinder取出cmd命令,然后执行这些命令
[/system/libhwbinder/IPCThreadState.cpp]
status_t IPCThreadState::getAndExecuteCommand()
{status_t result;int32_t cmd;//1.向hwbinder发送read_write 命令,获取hwbinder的返回数据//参考[5.5.2]result = talkWithDriver();if (result >= NO_ERROR) {size_t IN = mIn.dataAvail();if (IN < sizeof(int32_t)) return result;//从hwbinder驱动cmd命令cmd = mIn.readInt32();IF_LOG_COMMANDS() {alog << "Processing top-level Command: "<< getReturnString(cmd) << endl;}pthread_mutex_lock(&mProcess->mThreadCountLock);mProcess->mExecutingThreadsCount++;if (mProcess->mExecutingThreadsCount >= mProcess->mMaxThreads &&mProcess->mMaxThreads > 1 && mProcess->mStarvationStartTimeMs == 0) {mProcess->mStarvationStartTimeMs = uptimeMillis();}pthread_mutex_unlock(&mProcess->mThreadCountLock);//2.处理 hwbinder驱动返回的BR_TRANSACTION等 命令,参考[5.7.6]result = executeCommand(cmd);...return result;
}
5.7.6 IPCThreadState::executeCommand()
执行命令,hwbinder和hwservicemanager 通信的常用命令为 BR_TRANSACTION
[/system/libhwbinder/IPCThreadState.cpp]
status_t IPCThreadState::executeCommand(int32_t cmd)
{BHwBinder* obj;RefBase::weakref_type* refs;status_t result = NO_ERROR;switch ((uint32_t)cmd) {...case BR_TRANSACTION_SEC_CTX:case BR_TRANSACTION:{binder_transaction_data_secctx tr_secctx;binder_transaction_data& tr = tr_secctx.transaction_data;if (cmd == BR_TRANSACTION_SEC_CTX) {result = mIn.read(&tr_secctx, sizeof(tr_secctx));} else {result = mIn.read(&tr, sizeof(tr));tr_secctx.secctx = 0;}ALOG_ASSERT(result == NO_ERROR,"Not enough command data for brTRANSACTION");if (result != NO_ERROR) break;// Record the fact that we're in a hwbinder callmIPCThreadStateBase->pushCurrentState(IPCThreadStateBase::CallState::HWBINDER);Parcel buffer;buffer.ipcSetDataReference(reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),tr.data_size,reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets),tr.offsets_size/sizeof(binder_size_t), freeBuffer, this);const pid_t origPid = mCallingPid;const char* origSid = mCallingSid;const uid_t origUid = mCallingUid;const int32_t origStrictModePolicy = mStrictModePolicy;const int32_t origTransactionBinderFlags = mLastTransactionBinderFlags;mCallingPid = tr.sender_pid;mCallingSid = reinterpret_cast<const char*>(tr_secctx.secctx);mCallingUid = tr.sender_euid;mLastTransactionBinderFlags = tr.flags;Parcel reply;status_t error;bool reply_sent = false;...//构造一个匿名回调函数,处理完之后会使用这个函数发送 replyParcel auto reply_callback = [&] (auto &replyParcel) {if (reply_sent) {// Reply was sent earlier, ignore it.ALOGE("Dropping binder reply, it was sent already.");return;}reply_sent = true;if ((tr.flags & TF_ONE_WAY) == 0) {replyParcel.setError(NO_ERROR);sendReply(replyParcel, 0);} else {ALOGE("Not sending reply in one-way transaction");}};//hwservicemanager不会走这个分支if (tr.target.ptr) {// We only have a weak reference on the target object, so we must first try to// safely acquire a strong reference before doing anything else with it.if (reinterpret_cast<RefBase::weakref_type*>(tr.target.ptr)->attemptIncStrong(this)) {error = reinterpret_cast<BHwBinder*>(tr.cookie)->transact(tr.code, buffer,&reply, tr.flags, reply_callback);reinterpret_cast<BHwBinder*>(tr.cookie)->decStrong(this);} else {error = UNKNOWN_TRANSACTION;}} else {//mContextObject 就是我们前面设置的 BnHwServiceManager ,参考[5.7.7]error = mContextObject->transact(tr.code, buffer, &reply, tr.flags, reply_callback);}mIPCThreadStateBase->popCurrentState();if ((tr.flags & TF_ONE_WAY) == 0) {if (!reply_sent) {// Should have been a reply but there wasn't, so there// must have been an error instead.reply.setError(error);sendReply(reply, 0);} else {if (error != NO_ERROR) {ALOGE("transact() returned error after sending reply.");} else {// Ok, reply sent and transact didn't return an error.}}} else {// One-way transaction, don't care about return value or reply.}//ALOGI("<<<< TRANSACT from pid %d restore pid %d sid %s uid %d\n",// mCallingPid, origPid, (origSid ? origSid : "<N/A>"), origUid);mCallingPid = origPid;mCallingSid = origSid;mCallingUid = origUid;mStrictModePolicy = origStrictModePolicy;mLastTransactionBinderFlags = origTransactionBinderFlags;IF_LOG_TRANSACTIONS() {alog << "BC_REPLY thr " << (void*)pthread_self() << " / obj "<< tr.target.ptr << ": " << indent << reply << dedent << endl;}}break;case BR_DEAD_BINDER:{BpHwBinder *proxy = (BpHwBinder*)mIn.readPointer();proxy->sendObituary();mOut.writeInt32(BC_DEAD_BINDER_DONE);mOut.writePointer((uintptr_t)proxy);} break;...}if (result != NO_ERROR) {mLastError = result;}return result;
}
5.7.7 BHwBinder::transact()
根据传入的BR_TRANSACTION,最终调用到BnHwServiceManager的transact,但是由于BnHwServiceManager没有transact(),所以调用父类的transact(),即BHwBinder::transact
[/system/libhwbinder/Binder.cpp]
status_t BHwBinder::transact(uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags, TransactCallback callback)
{data.setDataPosition(0);status_t err = NO_ERROR;switch (code) {default://BnHwServiceManager 实现了 onTransact(),参考[5.7.8] err = onTransact(code, data, reply, flags,[&](auto &replyParcel) {replyParcel.setDataPosition(0);if (callback != nullptr) {callback(replyParcel);}});break;}return err;
}
5.7.8 BnHwServiceManager::onTransact()
最终会调用到这来处理其他进程发来的请求, 其实最后做事的是 ServiceManager对象,根据client传入的code,来执行不同的接口
例如有进程向注册一个hidl的服务时,调用registerAsService()时,在Android10.0上最终是调用addWithChain()接口,这里的code是12,
一个进程需要获取某个hidl服务时,需要调用get()接口,这里的code是1
[/out/soong/.intermediates/system/libhidl/transport/manager/1.0/android.hidl.manager@1.0_genc++/gen/android/hidl/manager/1.2/ServiceManagerAll.cpp]
::android::status_t BnHwServiceManager::onTransact(uint32_t _hidl_code,const ::android::hardware::Parcel &_hidl_data,::android::hardware::Parcel *_hidl_reply,uint32_t _hidl_flags,TransactCallback _hidl_cb) {::android::status_t _hidl_err = ::android::OK;switch (_hidl_code) {case 1 /* get */:{bool _hidl_is_oneway = _hidl_flags & 1u /* oneway */;if (_hidl_is_oneway != false) {return ::android::UNKNOWN_ERROR;}_hidl_err = ::android::hidl::manager::V1_0::BnHwServiceManager::_hidl_get(this, _hidl_data, _hidl_reply, _hidl_cb);break;}case 2 /* add */:{bool _hidl_is_oneway = _hidl_flags & 1u /* oneway */;if (_hidl_is_oneway != false) {return ::android::UNKNOWN_ERROR;}_hidl_err = ::android::hidl::manager::V1_0::BnHwServiceManager::_hidl_add(this, _hidl_data, _hidl_reply, _hidl_cb);break;}case 3 /* getTransport */:{bool _hidl_is_oneway = _hidl_flags & 1u /* oneway */;if (_hidl_is_oneway != false) {return ::android::UNKNOWN_ERROR;}_hidl_err = ::android::hidl::manager::V1_0::BnHwServiceManager::_hidl_getTransport(this, _hidl_data, _hidl_reply, _hidl_cb);break;}case 4 /* list */:{bool _hidl_is_oneway = _hidl_flags & 1u /* oneway */;if (_hidl_is_oneway != false) {return ::android::UNKNOWN_ERROR;}_hidl_err = ::android::hidl::manager::V1_0::BnHwServiceManager::_hidl_list(this, _hidl_data, _hidl_reply, _hidl_cb);break;}case 5 /* listByInterface */:{bool _hidl_is_oneway = _hidl_flags & 1u /* oneway */;if (_hidl_is_oneway != false) {return ::android::UNKNOWN_ERROR;}_hidl_err = ::android::hidl::manager::V1_0::BnHwServiceManager::_hidl_listByInterface(this, _hidl_data, _hidl_reply, _hidl_cb);break;}case 6 /* registerForNotifications */:{bool _hidl_is_oneway = _hidl_flags & 1u /* oneway */;if (_hidl_is_oneway != false) {return ::android::UNKNOWN_ERROR;}_hidl_err = ::android::hidl::manager::V1_0::BnHwServiceManager::_hidl_registerForNotifications(this, _hidl_data, _hidl_reply, _hidl_cb);break;}case 7 /* debugDump */:{bool _hidl_is_oneway = _hidl_flags & 1u /* oneway */;if (_hidl_is_oneway != false) {return ::android::UNKNOWN_ERROR;}_hidl_err = ::android::hidl::manager::V1_0::BnHwServiceManager::_hidl_debugDump(this, _hidl_data, _hidl_reply, _hidl_cb);break;}case 8 /* registerPassthroughClient */:{bool _hidl_is_oneway = _hidl_flags & 1u /* oneway */;if (_hidl_is_oneway != false) {return ::android::UNKNOWN_ERROR;}_hidl_err = ::android::hidl::manager::V1_0::BnHwServiceManager::_hidl_registerPassthroughClient(this, _hidl_data, _hidl_reply, _hidl_cb);break;}case 9 /* unregisterForNotifications */:{bool _hidl_is_oneway = _hidl_flags & 1u /* oneway */;if (_hidl_is_oneway != false) {return ::android::UNKNOWN_ERROR;}_hidl_err = ::android::hidl::manager::V1_1::BnHwServiceManager::_hidl_unregisterForNotifications(this, _hidl_data, _hidl_reply, _hidl_cb);break;}case 10 /* registerClientCallback */:{bool _hidl_is_oneway = _hidl_flags & 1u /* oneway */;if (_hidl_is_oneway != false) {return ::android::UNKNOWN_ERROR;}_hidl_err = ::android::hidl::manager::V1_2::BnHwServiceManager::_hidl_registerClientCallback(this, _hidl_data, _hidl_reply, _hidl_cb);break;}case 11 /* unregisterClientCallback */:{bool _hidl_is_oneway = _hidl_flags & 1u /* oneway */;if (_hidl_is_oneway != false) {return ::android::UNKNOWN_ERROR;}_hidl_err = ::android::hidl::manager::V1_2::BnHwServiceManager::_hidl_unregisterClientCallback(this, _hidl_data, _hidl_reply, _hidl_cb);break;}case 12 /* addWithChain */:{bool _hidl_is_oneway = _hidl_flags & 1u /* oneway */;if (_hidl_is_oneway != false) {return ::android::UNKNOWN_ERROR;}_hidl_err = ::android::hidl::manager::V1_2::BnHwServiceManager::_hidl_addWithChain(this, _hidl_data, _hidl_reply, _hidl_cb);break;}case 13 /* listManifestByInterface */:{bool _hidl_is_oneway = _hidl_flags & 1u /* oneway */;if (_hidl_is_oneway != false) {return ::android::UNKNOWN_ERROR;}_hidl_err = ::android::hidl::manager::V1_2::BnHwServiceManager::_hidl_listManifestByInterface(this, _hidl_data, _hidl_reply, _hidl_cb);break;}case 14 /* tryUnregister */:{bool _hidl_is_oneway = _hidl_flags & 1u /* oneway */;if (_hidl_is_oneway != false) {return ::android::UNKNOWN_ERROR;}_hidl_err = ::android::hidl::manager::V1_2::BnHwServiceManager::_hidl_tryUnregister(this, _hidl_data, _hidl_reply, _hidl_cb);break;}default:{return ::android::hidl::base::V1_0::BnHwBase::onTransact(_hidl_code, _hidl_data, _hidl_reply, _hidl_flags, _hidl_cb);}}if (_hidl_err == ::android::UNEXPECTED_NULL) {_hidl_err = ::android::hardware::writeToParcel(::android::hardware::Status::fromExceptionCode(::android::hardware::Status::EX_NULL_POINTER),_hidl_reply);}return _hidl_err;
}
6.总结
HwServiceManager作为HwBinder的守护进程,主要作用就是收集各个硬件服务,当有进程需要服务时由 HwServiceManager 提供特定的硬件服务。
7.代码路径:
/system/hwservicemanager/service.cpp
/system/hwservicemanager/ServiceManager.cpp
/system/libhwbinder/Binder.cpp
/system/libhwbinder/IPCThreadState.cpp
/system/libhwbinder/ProcessState.cpp
/system/libhidl/transport/HidlTransportSupport.cpp
/system/libhidl/transport/HidlBinderSupport.cpp
/system/core/libutils/Looper.cpp
/out/soong/.intermediates/system/libhidl/transport/manager/1.0/android.hidl.manager@1.0_genc++/gen/android/hidl/manager/1.0/ServiceManagerAll.cpp
/out/soong/.intermediates/system/libhidl/transport/manager/1.0/android.hidl.manager@1.0_genc++/gen/android/hidl/manager/1.1/ServiceManagerAll.cpp
/out/soong/.intermediates/system/libhidl/transport/manager/1.0/android.hidl.manager@1.0_genc++/gen/android/hidl/manager/1.2/ServiceManagerAll.cpp
我的微信公众号:IngresGe
HwServiceManager篇-Android10.0 HwBinder通信原理(五)相关推荐
- nacis服务注册原理_HwServiceManager篇Android10.0 HwBinder通信原理(五)
阅读本文大约需要花费34分钟. 原创不易,如果您觉得有点用,希望可以随手转发或者点击右下角的 "在看".""分享"",拜谢! <And ...
- HwBinder驱动篇-Android10.0 HwBinder通信原理(十)
摘要:本节主要来讲解Android10.0 HwBinder驱动的流程 阅读本文大约需要花费24分钟. 文章首发微信公众号:IngresGe 专注于Android系统级源码分析,Android的平台设 ...
- HwBinder入门篇-Android10.0 HwBinder通信原理(一)
摘要:本节主要来讲解Android10.0 HwBinder的通信原理概要 阅读本文大约需要花费18分钟. 文章首发微信公众号:IngresGe 专注于Android系统级源码分析,Android的平 ...
- HwBinder原理总结-Android10.0 HwBinder通信原理(十一)
摘要:本节主要来进行Android10.0 HwBinder的原理总结 阅读本文大约需要花费14分钟. 文章首发微信公众号:IngresGe 专注于Android系统级源码分析,Android的平台设 ...
- JAVA层HIDL服务的获取原理-Android10.0 HwBinder通信原理(九)
摘要:本节主要来讲解Android10.0 JAVA层HIDL服务的获取原理 阅读本文大约需要花费19分钟. 文章首发微信公众号:IngresGe 专注于Android系统级源码分析,Android的 ...
- JAVA层HIDL服务的注册原理-Android10.0 HwBinder通信原理(八)
摘要:本节主要来讲解Android10.0 JAVA层HIDL服务的注册原理 阅读本文大约需要花费22分钟. 文章首发微信公众号:IngresGe 专注于Android系统级源码分析,Android的 ...
- Native层HIDL服务的获取原理-Android10.0 HwBinder通信原理(七)
摘要:本节主要来讲解Android10.0 Native层HIDL服务的获取原理 阅读本文大约需要花费23分钟. 文章首发微信公众号:IngresGe 专注于Android系统级源码分析,Androi ...
- Native层HIDL服务的注册原理-Android10.0 HwBinder通信原理(六)
摘要:本节主要来讲解Android10.0 Native层HIDL服务的注册原理 阅读本文大约需要花费23分钟. 文章首发微信公众号:IngresGe 专注于Android系统级源码分析,Androi ...
- HIDL示例-JAVA服务创建-Client验证-Android10.0 HwBinder通信原理(四)
摘要:本节主要来讲解Android10.0 JAVA层的HIDL服务创建和JAVA层的Client验证 阅读本文大约需要花费15分钟. 文章首发微信公众号:IngresGe 专注于Android系统级 ...
最新文章
- sql附加服务器数据库文件夹,快速开发平台企业版--后台SqlServer更换服务器,可以用数据库分离与附加方法重新启动...
- html编辑器 br 被div,百度Ueditor编辑器DIV,html标签替换及代码被过滤问题解决方法...
- boost::units::conversion_factor相关的测试程序
- 学习笔记——本地事务ACID四大特性
- Python开发基础-day1
- 1.7见识一下什么叫Linux驱动:LED
- 自建服务器解网络锁,掌握iPhone1-4代刷机技巧
- webstorm 破解
- 扩展切比雪夫多项式(混沌映射, Chebyshev chaotic map)
- java 毕向东 内部类_毕向东视频学习笔记【Java_Day10 多态+内部类】
- 你有必要不沾计算机一段时间英语,新目标英语八年级下第一单元知识点
- python输入负数_如何让python使用负数
- 新西兰梅西大学有计算机专业吗,【新西兰梅西大学计算机专业】 - 教外新西兰留学网...
- 2022最新高通8155平台开源代码最新代码下载、编译方法
- 点与直线位置关系,叉乘
- xmind新手入门教程,xmind怎么用?
- python数据科学导论_数据科学导论:Python语言(原书第3版)
- nginx 静态资源优化配置
- 如何给sublime text3安装汉化包?so easy 哦
- 什么是闭包?闭包有啥作用?闭包的应用有啥?内存优化?
热门文章
- tensorflow2.2.0安装_Zabbix5.0安装部署
- java get不支持_java – HTTP Get:只下载头文件? (HEAD不支持)
- 比较某两个时间的时间戳相等
- [译] React Native vs. Cordova、PhoneGap、Ionic,等等
- 多线程基础篇(3)——初试锁
- Lispbox的简单配置
- 移动端手势操作--两点同时点击的实现方案
- 开发程序实现nginx代理节点状态检查及WEB界面展示
- NSDate的具体用法
- JAVA类型转换问题