在Native Binder的系统服务注册过程中,核心是ServiceManager,在Java Binder中,也有一个ServiceManager,然而这个ServiceManager是个Java文件。在Java Binder注册系统服务到也需要用到ServiceManager,那么需要选择一个系统服务来窥探这一过程,这里以常见的ActivityManagerServcie(AMS)为例。
1-将AMS注册到ServiceManager 在AMS的setSystemProcess方法中,会调用ServiceManager的addService方法,至于为什么会调用AMS的setSystemProcess方法可自行查阅SystemService进程的启动流程。
frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java
1 2 3 4 5 6 7 8 9 10 11 12 13 14 public void setSystemProcess () try { ServiceManager.addService(Context.ACTIVITY_SERVICE, this , true , DUMP_FLAG_PRIORITY_CRITICAL | DUMP_FLAG_PRIORITY_NORMAL | DUMP_FLAG_PROTO); ServiceManager.addService(ProcessStats.SERVICE_NAME, mProcessStats); } catch (PackageManager.NameNotFoundException e) { throw new RuntimeException( "Unable to find android system package" , e); } }
Context.ACTIVITY_SERVICE的值为activity,和Native Binder类事把服务名添加到ServiceManager中。
frameworks/base/core/java/android/os/ServiceManager.java
1 2 3 4 5 6 7 8 9 public static void addService (String name, IBinder service, boolean allowIsolated, int dumpPriority) try { getIServiceManager().addService(name, service, allowIsolated, dumpPriority); } catch (RemoteException e) { Log.e(TAG, "error in addService" , e); } }
主要看getIServiceManager方法返回的是什么,代码如下
frameworks/base/core/java/android/os/ServiceManager.java
1 2 3 4 5 6 7 8 9 10 private static IServiceManager getIServiceManager () if (sServiceManager != null ) { return sServiceManager; } sServiceManager = ServiceManagerNative .asInterface(Binder.allowBlocking(BinderInternal.getContextObject())); return sServiceManager; }
BinderInternal.getContextObject())
ServiceManagerNative.asInterface
getIServiceManager().addService
1.1-BinderInternal.getContextObject Binder.allowBlocking的作用就是将BinderProxy的mWarnOnBlocking的值设置为 false,主要分析的BinderInternal.getContextObject方法的作用,这是一个Native方法。在Java Binder的JNI注册 文章中说了会注册BinderInternal的Native方法。getContextObject就是其中之一,它对于JNI函数如下:
frameworks/base/core/jni/android_util_Binder.cpp
1 2 3 4 5 static jobject android_os_BinderInternal_getContextObject (JNIEnv* env, jobject clazz) sp<IBinder> b = ProcessState::self ()->getContextObject (NULL ); return javaObjectForIBinder (env, b); }
又看见了熟悉的ProcessState::self()->getContextObject(NULL),最终会返回个BpBinder,不熟悉的朋友可以查看Native Binder机制之系统服务注册 。BpBinder是Native Binder的客户端,这说明Java Binder需要Native的BpBinder,但是BpBinder在Java层无法直接使用,所以这里使用javaObjectForIBinder函数进行处理,代码如下:
frameworks/base/core/jni/android_util_Binder.cpp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 jobject javaObjectForIBinder (JNIEnv* env, const sp<IBinder>& val) if (val == NULL ) return NULL ; if (val->checkSubclass (&gBinderOffsets)) { jobject object = static_cast <JavaBBinder*>(val.get ())->object (); LOGDEATH ("objectForBinder %p: it's our own %p!\n" , val.get (), object); return object; } AutoMutex _l(gProxyLock); BinderProxyNativeData* nativeData = gNativeDataCache; if (nativeData == nullptr ) { nativeData = new BinderProxyNativeData (); } jobject object = env->CallStaticObjectMethod (gBinderProxyOffsets.mClass, gBinderProxyOffsets.mGetInstance, (jlong) nativeData, (jlong) val.get ()); if (env->ExceptionCheck ()) { gNativeDataCache = nullptr ; return NULL ; } BinderProxyNativeData* actualNativeData = getBPNativeData (env, object); if (actualNativeData == nativeData) { nativeData->mOrgue = new DeathRecipientList; nativeData->mObject = val; gNativeDataCache = nullptr ; ++gNumProxies; if (gNumProxies >= gProxiesWarned + PROXY_WARN_INTERVAL) { ALOGW ("Unexpectedly many live BinderProxies: %d\n" , gNumProxies); gProxiesWarned = gNumProxies; } } else { gNativeDataCache = nativeData; } return object; }
先看这个函数的注释:
If the argument is a JavaBBinder, return the Java object that was used to create it.
解释的很清楚,如果参数是JavaBBinder,则返回用于创建它的Java对象。否则为返回一个BinderProxy。如果之前的调用传递IBinder相同,并且BinderProxy已存在,则这把BinderProxy返回。此时调用javaObjectForIBinder的参数是BpBinder,显然会返回一个BinderProxy。
还是记得之前BinderProxy类的初始化 吗,会在gBinderProxyOffsets这个结构体保存BinderProxy类一些相关信息。javaObjectForIBinder函数,
1 2 3 4 BinderProxyNativeData* nativeData = gNativeDataCache; if (nativeData == nullptr ) { nativeData = new BinderProxyNativeData (); }
创建一个BinderProxyNativeData对象复制给nativeData,先其内部的空的。
注意下面这行代码:
1 2 3 jobject object = env->CallStaticObjectMethod (gBinderProxyOffsets.mClass, gBinderProxyOffsets.mGetInstance, (jlong) nativeData, (jlong) val.get ());
其实是调用Java层BinderProxy.getInstance方法,入参数分别是BinderProxyNativeData对象和BpBinder
frameworks/base/core/java/android/os/Binder.java::BinderProxy
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 private static BinderProxy getInstance (long nativeData, long iBinder) BinderProxy result; try { result = sProxyMap.get (iBinder); if (result != null) { return result; } result = new BinderProxy (nativeData); } catch NativeAllocationRegistry.applyFreeFunction (NoImagePreloadHolder.sNativeFinalizer, nativeData); throw e; } NoImagePreloadHolder.sRegistry.registerNativeAllocation (result, nativeData); sProxyMap.set (iBinder, result); return result; } private BinderProxy (long nativeData) mNativeData = nativeData; }
关于getBPNativeData部分的代码:
1 2 3 4 5 6 BinderProxyNativeData* actualNativeData = getBPNativeData (env, object); BinderProxyNativeData* getBPNativeData (JNIEnv* env, jobject obj) { return (BinderProxyNativeData *) env->GetLongField (obj, gBinderProxyOffsets.mNativeData); }
getBPNativeData函数其实就是获取Java层BinderProxy的 mNativeData属性字段。
最后一段代码,逻辑上就是给gNativeDataCache的mObject和mOrgue赋值,注意mObject就是BpBinder,然后复用gNativeDataCache,
1 2 3 4 5 6 7 8 9 10 11 12 13 14 if (actualNativeData == nativeData) { nativeData->mOrgue = new DeathRecipientList; nativeData->mObject = val; gNativeDataCache = nullptr ; ++gNumProxies; if (gNumProxies >= gProxiesWarned + PROXY_WARN_INTERVAL) { ALOGW ("Unexpectedly many live BinderProxies: %d\n" , gNumProxies); gProxiesWarned = gNumProxies; } } else { gNativeDataCache = nativeData; }
看了这么一大段代码,一会调用C++,一会有调用Java,Native对象和Java对象互相指向,是不是有点晕。总结一下javaObjectForIBinder函数:
如果nativeData为空的话,就创建一个BinderProxyNativeData对象
调用Java层BinderProxy的getInstance方法返回一个Java层的BinderProxy对象
getInstance方法两个入参数Native层的nativeData和BpBinder在getInstance方法内会把nativeData赋值给Java 层BinderProxy的mNativeData字段。
根据Native层BpBinder缓存BinderProxy对象
通过getBPNativeData函数获取Java层BinderProxy的成员变量mNativeData指向Native的BinderProxyNativeData
最终javaObjectForIBinder函数会返回Java层的BpBinder
关于为什么这么设计,没看到查到更多设计文档,但从BinderProxyNativeData上的注释的可知一二:减少 JNI Java 字段访问的数量
1 2 3 4 5 6 7 8 9 struct BinderProxyNativeData { sp<IBinder> mObject; sp<DeathRecipientList> mOrgue; };
1.2-ServiceManagerNative.asInterface 还记得Native层的障眼法asInterface函数,它的作用就是通过BpBinder创建一个BpServiceManager。那在Java层的asInterface方法到底是干什么呢?
android.os.ServiceManagerNative
1 2 3 4 5 6 7 8 9 10 11 12 static public IServiceManager asInterface (IBinder obj) if (obj == null ) { return null ; } IServiceManager in = (IServiceManager)obj.queryLocalInterface(descriptor); if (in != null ) { return in; } return new ServiceManagerProxy(obj); }
这里的obj的值为BinderProxy,那asInterface方法的作用就是以BinderProxy创建一个ServiceManagerProxy对象。
BinderProxy和BpBinder分别代表Java层和Native层的客户端。在Native层BpServiceManager通过BpBinder来通信。ServiceManagerProxy将业务请求交给BinderProxy处理。
1 sServiceManager = ServiceManagerNative.asInterface(Binder.allowBlocking(BinderInternal.getContextObject()));
上面的代码经过前面篇幅的分析,其实可以转化为如下:
1 sServiceManager =new ServiceManagerProxy(new BinderProxy()));
1.3-getIServiceManager().addService getIServiceManager()返回的是ServiceManagerProxy,ServiceManagerProxy是ServiceManagerNative的内部类。它实现了IServiceManager的接口。
android.os.ServiceManagerNative.java::ServiceManagerProxy
1 2 3 4 5 6 7 8 9 10 11 12 13 public void addService (String name, IBinder service, boolean allowIsolated, int dumpPriority) throws RemoteException { Parcel data = Parcel.obtain (); Parcel reply = Parcel.obtain (); data.writeInterfaceToken (IServiceManager.descriptor); data.writeString (name); data.writeStrongBinder (service); data.writeInt (allowIsolated ? 1 : 0 ); data.writeInt (dumpPriority); mRemote.transact (ADD_SERVICE_TRANSACTION, data, reply, 0 ); reply.recycle (); data.recycle (); }
这里和Native层的addService很像,分别创建请求和接受的数据包Parcel。把service写入到data中,关于data.writeStrongBinder(service)后面会重点将。调用mRemote的transact方法,ADD_SERVICE_TRANSACTION在Native层也见到过,最终会在内核层处理这个switch/case。但问题是现在Java层,如何和关联Native层服务注册呢?mRemote就是BinderProxy,看它的transact方法:
1 2 3 4 5 6 7 8 9 10 11 12 public boolean transact (int code, Parcel data, Parcel reply, int flags) throws RemoteException try { return transactNative(code, data, reply, flags); } finally { if (tracingEnabled) { Trace.traceEnd(Trace.TRACE_TAG_ALWAYS); } } } public native boolean transactNative (int code, Parcel data, Parcel reply, int flags) throws RemoteException
最终会调用一个 native函数,再次回到android_util_Binder.cpp
frameworks/base/core/jni/android_util_Binder.cpp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 static const JNINativeMethod gBinderProxyMethods[] = { {"transactNative" , "(ILandroid/os/Parcel;Landroid/os/Parcel;I)Z" , (void *)android_os_BinderProxy_transact}, }; static jboolean android_os_BinderProxy_transact (JNIEnv* env, jobject obj, jint code, jobject dataObj, jobject replyObj, jint flags) if (dataObj == NULL ) { jniThrowNullPointerException (env, NULL ); return JNI_FALSE; } Parcel* data = parcelForJavaObject (env, dataObj); if (data == NULL ) { return JNI_FALSE; } Parcel* reply = parcelForJavaObject (env, replyObj); if (reply == NULL && replyObj != NULL ) { return JNI_FALSE; } IBinder* target = getBPNativeData (env, obj)->mObject.get (); if (target == NULL ) { jniThrowException (env, "java/lang/IllegalStateException" , "Binder has been finalized!" ); return JNI_FALSE; } status_t err = target->transact (code, *data, reply, flags); if (kEnableBinderSample) { if (time_binder_calls) { conditionally_log_binder_call (start_millis, target, code); } } if (err == NO_ERROR) { return JNI_TRUE; } else if (err == UNKNOWN_TRANSACTION) { return JNI_FALSE; } signalExceptionForError (env, obj, err, true , data->dataSize ()); return JNI_FALSE; }
该函数会先正注释1和注释2处把Java层的请求和接收数据的包转为Native的层的Parcel。然后调用getBPNativeData函数:
1 2 3 BinderProxyNativeData* getBPNativeData (JNIEnv* env, jobject obj) { return (BinderProxyNativeData *) env->GetLongField (obj, gBinderProxyOffsets.mNativeData); }
获取Java层BinderProxy的mNativeData成员变量,mNativeData其实就是Native层的BinderProxyNativeData,返回到注释3,获取BinderProxyNativeData的mObject,也就是BpBinder。接着来到注释4调用BpBinder的transact函数,向Binder驱动发送数据,这部分内容在Native Binder机制之系统服务注册 已经分析过了,不再赘述。
2-引出JavaBBinder 在对addService分析时曾提示data.writeStrongBinder(service),很重要,那它到底最重要在哪呢?
frameworks/base/core/java/android/os/Parcel.java
1 2 3 public final void writeStrongBinder (IBinder val) nativeWriteStrongBinder (mNativePtr, val); }
frameworks/base/core/jni/android_os_Parcel.cpp
1 2 3 4 5 6 7 8 9 10 11 12 {"nativeWriteStrongBinder" , "(JLandroid/os/IBinder;)V" , (void *)android_os_Parcel_writeStrongBinder}, static void android_os_Parcel_writeStrongBinder (JNIEnv* env, jclass clazz, jlong nativePtr, jobject object) Parcel* parcel = reinterpret_cast <Parcel*>(nativePtr); if (parcel != NULL ) { const status_t err = parcel->writeStrongBinder (ibinderForJavaObject (env, object)); if (err != NO_ERROR) { signalExceptionForError (env, clazz, err); } } }
刚刚分析了javaObjectForIBinder,这里又出现了ibinderForJavaObject,从命名上有点倒过来的感觉,有点意思。把Java层传进来Binder通过ibinderForJavaObject函数转换一下保存到parcel数据包中。
frameworks/base/core/jni/android_util_Binder.cpp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 sp<IBinder> ibinderForJavaObject (JNIEnv* env, jobject obj) if (obj == NULL ) return NULL ; if (env->IsInstanceOf (obj, gBinderOffsets.mClass)) { JavaBBinderHolder* jbh = (JavaBBinderHolder*) env->GetLongField (obj, gBinderOffsets.mObject); return jbh->get (env, obj); } if (env->IsInstanceOf (obj, gBinderProxyOffsets.mClass)) { return getBPNativeData (env, obj)->mObject; } ALOGW ("ibinderForJavaObject: %p is not a Binder object" , obj); return NULL ; }
第一种情况:如果Java层obj对象是的Binder类,则获取Java层obj对象的成员mObject,也是就是Native层的JavaBBinderHolder对象,然后调用JavaBBinderHolder的get函数。
第二种情况:如果Java层obj对象是BinderProxy类,则返回BpBinder。
此时的obj是Jave层传入的ActivityManagerService,那得看AMS具体是从什么派生出来的。
1 2 3 4 public class ActivityManagerService extends IActivityManager .Stub implements Watchdog .Monitor , BatteryStatsImpl .BatteryCallback { }
可以看到ActivityManagerService是继承IActivityManager.Stub,但在代码中是无法直接搜索得该类。只有一个IActivityManager.aidl文件,看到这里应当知道是位编译阶段根据IActivityManager.aidl生成 IActivityManager.java。
1 2 3 4 5 6 7 8 9 10 11 12 13 public interface IActivityManager extends IInterface public static abstract class Stub extends android .os .Binder implements android .app .IActivityManager } private static class Proxy implements android .app .IActivityManager } }
IActivityManager内部类Stub继承Binder,并实现了IActivityManager接口。所以ActivityManagerService是从Binder派生出来的,并实现了IActivityManager接口。在此时ibinderForJavaObject函数逻辑调用的是第一种情况。先从Jave层Binder获取JavaBBinderHolder,在调用JavaBBinderHolder的get函数。
Binder的mObject是在构造函数中初始化的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 class JavaBBinderHolder { public : sp<JavaBBinder> get (JNIEnv* env, jobject obj) { AutoMutex _l(mLock); sp<JavaBBinder> b = mBinder.promote (); if (b == NULL ) { b = new JavaBBinder (env, obj); mBinder = b; ALOGV ("Creating JavaBinder %p (refs %p) for Object %p, weakCount=%" PRId32 "\n" , b.get (), b->getWeakRefs (), obj, b->getWeakRefs ()->getWeakCount ()); } return b; } sp<JavaBBinder> getExisting () { AutoMutex _l(mLock); return mBinder.promote (); } private : Mutex mLock; wp<JavaBBinder> mBinder; };
JavaBBinderHolder的get函数返回的是个JavaBBinder对象,JavaBBinder对象内会有Java层的Binder对象。也就是说addService实际添加到parcel的并不是AMS本身,而是一个JavaBBinder对象,并最终传递到Binder驱动的也是这个JavaBBinder。
2.1-分析JavaBBinder
frameworks/base/core/jni/android_util_Binder.cpp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 class JavaBBinder :public BBinder{ public : JavaBBinder (JNIEnv* env, jobject object) : mVM (jnienv_to_javavm (env)), mObject (env->NewGlobalRef (object)) { ALOGV ("Creating JavaBBinder %p\n" , this ); gNumLocalRefsCreated.fetch_add (1 , std::memory_order_relaxed); gcIfManyNewRefs (env); } private : JavaVM* const mVM; jobject const mObject; };
从代码可以知JavaBBinder继承了BBinder,当Binder驱动的到客户的请求后,会将相应发送给JavaBBinder,这时会调用JavaBBinder的onTransact函数,代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 virtual status_t onTransact ( uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags = 0 ) { JNIEnv* env = javavm_to_jnienv (mVM); IPCThreadState* thread_state = IPCThreadState::self (); const int32_t strict_policy_before = thread_state->getStrictModePolicy (); jboolean res = env->CallBooleanMethod (mObject, gBinderOffsets.mExecTransact, code, reinterpret_cast <jlong>(&data), reinterpret_cast <jlong>(reply), flags); return res != JNI_FALSE ? NO_ERROR : UNKNOWN_TRANSACTION; }
会调用Java层Binder的execTransact函数,代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 private boolean execTransact (int code, long dataObj, long replyObj, int flags) BinderCallsStats binderCallsStats = BinderCallsStats.getInstance(); BinderCallsStats.CallSession callSession = binderCallsStats.callStarted(this , code); Parcel data = Parcel.obtain(dataObj); Parcel reply = Parcel.obtain(replyObj); boolean res; try { res = onTransact(code, data, reply, flags); } catch (RemoteException|RuntimeException e) { } finally { } return res; }
execTransact的关键代码就是调用onTransact方法,派生类可以实现onTransact方法,实现自己的业务代码,ActivityManagerService实现了自己的onTransact方法,如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 @Override public boolean onTransact (int code, Parcel data, Parcel reply, int flags) throws RemoteException { try { return super .onTransact(code, data, reply, flags); } catch (RuntimeException e) { if (!(e instanceof SecurityException || e instanceof IllegalArgumentException || e instanceof IllegalStateException)) { Slog.wtf(TAG, "Activity Manager Crash." + " UID:" + Binder.getCallingUid() + " PID:" + Binder.getCallingPid() + " TRANS:" + code, e); } throw e; } }
ActivityManagerService继承IActivityManager.Stub类,该类是通过AIDL编译生成:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 public interface IActivityManager extends android .os .IInterface public static abstract class Stub extends android .os .Binder implements android .app .IActivityManager { private static final java.lang.String DESCRIPTOR = "android.app.IActivityManager" ; public Stub () { this .attachInterface(this , DESCRIPTOR); } public static android.app.IActivityManager asInterface (android.os.IBinder obj) { if ((obj==null )) { return null ; } android.os.IInterface iin = obj.queryLocalInterface(DESCRIPTOR); if (((iin!=null )&&(iin instanceof android.app.IActivityManager))) { return ((android.app.IActivityManager)iin); } return new android.app.IActivityManager.Stub.Proxy(obj); } @Override public android.os.IBinder asBinder () { return this ; } @Override public boolean onTransact (int code, android.os.Parcel data, android.os.Parcel reply, int flags) throws android.os.RemoteException { java.lang.String descriptor = DESCRIPTOR; switch (code) { case INTERFACE_TRANSACTION: { reply.writeString(descriptor); return true ; } case TRANSACTION_startService: { data.enforceInterface(descriptor); IApplicationThread _arg0 = (IApplicationThread) data.readStrongBinder(); Intent _arg1 = (Intent) data.readParcelable(); java.lang.String _arg2 = data.readString(); boolean _arg3 = (0 !=data.readInt()); java.lang.String _arg4 = data.readString(); int _arg5 = data.readInt(); android.content.ComponentName _result = this .startService(_arg0, _arg1, _arg2, _arg3, _arg4, _arg5); reply.writeNoException(); if ((_result!=null )) { reply.writeInt(1 ); _result.writeToParcel(reply, android.os.Parcelable.PARCELABLE_WRITE_RETURN_VALUE); } else { reply.writeInt(0 ); } return true ; } case case TRANSACTION_startActivity:: { data.enforceInterface(DESCRIPTOR); android.app.IApplicationThread _arg0; _arg0 = android.app.IApplicationThread.Stub.asInterface(data.readStrongBinder()); java.lang.String _arg1; _arg1 = data.readString(); android.content.Intent _arg2; if ((0 !=data.readInt())) { _arg2 = android.content.Intent.CREATOR.createFromParcel(data); }else { _arg2 = null ; } java.lang.String _arg3; _arg3 = data.readString(); android.os.IBinder _arg4; _arg4 = data.readStrongBinder(); java.lang.String _arg5; _arg5 = data.readString(); int _arg6; _arg6 = data.readInt(); int _arg7; _arg7 = data.readInt(); android.app.ProfilerInfo _arg8; if ((0 !=data.readInt())) { _arg8 = android.app.ProfilerInfo.CREATOR.createFromParcel(data); } else { _arg8 = null ; } android.os.Bundle _arg9; if ((0 !=data.readInt())) { _arg9 = android.os.Bundle.CREATOR.createFromParcel(data); } else { _arg9 = null ; } int _result = this .startActivity(_arg0, _arg1, _arg2, _arg3, _arg4, _arg5, _arg6, _arg7, _arg8, _arg9); reply.writeNoException(); reply.writeInt(_result); return true ; } default : { return super .onTransact(code, data, reply, flags); } } } private static class Proxy implements android .app .IActivityManager { private android.os.IBinder mRemote; Proxy(android.os.IBinder remote) { mRemote = remote; } @Override public android.os.IBinder asBinder () { return mRemote; } public java.lang.String getInterfaceDescriptor () { return DESCRIPTOR; } @Override public android.content.ComponentName startService ( in IApplicationThread caller, in Intent service, java.lang.String resolvedType, boolean requireForeground, java.lang.String callingPackage, int userId) throws android.os.RemoteException { android.os.Parcel _data = android.os.Parcel.obtain(); android.os.Parcel _reply = android.os.Parcel.obtain(); android.content.ComponentName _result; try { _data.writeInterfaceToken(DESCRIPTOR); _data.writeStrongBinder(caller); _data.writeParcelable(service); _data.writeString(resolvedType); _data.writeInt(((requireForeground)?(1 ):(0 ))); _data.writeString(callingPackage); _data.writeInt(userId); mRemote.transact(Stub.TRANSACTION_startService, _data, _reply, 0 ); _reply.readException(); if ((0 !=_reply.readInt())) { _result = android.content.ComponentName.CREATOR.createFromParcel(_reply); } else { _result = null ; } } finally { _reply.recycle(); _data.recycle(); } return _result; } } static final int TRANSACTION_startService = (android.os.IBinder.FIRST_CALL_TRANSACTION + 0 ); } public android.content.ComponentName startService ( in IApplicationThread caller, in Intent service, java.lang.String resolvedType, boolean requireForeground, java.lang.String callingPackage, int userId) throws android.os.RemoteException ;}
可以看出,JavaBBinder仅是个中间人,它本身没有任何业务函数,其中工作是:
当它收到请求时,只是简单的调用它绑定的Java层Binder对象的exeTransact
该Binder对象的exeTransact调用其子类实现的onTransact函数
子类的onTransact函数将业务又分派个其子类来完成
3-Java层Binder架构总结 Java层Binder架构简图如下所示:
BinderProxy代表客户端,Java层BinderProxy在Native层对应着BpBinder。凡事从Java层发出的请求,先是从Java层BinderProxy传递给Native层的BpBinder,由BpBinder将请求发送给Binder驱动Binder代表服务端,JavaBBinder继承BBinder,JavaBBinder通过mObject指向Java层的Binder,JavaBBinder起到一个中转的作用,将来之客户端的请求从Native层传递到Java层。在整个系统中只有一个服务关键 ServiceManager
