Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to master ANDROID BINDER communication architecture". In daily operation, I believe many people have doubts about how to master ANDROID BINDER communication architecture. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "how to master ANDROID BINDER communication architecture". Next, please follow the editor to study!

2.10 IPC.waitForResponse

In this process, there are several common BR_ commands:

BR_TRANSACTION_COMPLETE: the binder driver receives the reply message after the BC_TRANSACTION event; for oneway transaction, when the message is received, the Binder communication is completed

BR_DEAD_REPLY: reply failed, often because the thread or node is empty. Then end this communication Binder.

BR_FAILED_REPLY: failure to reply is often caused by an error in transaction. Then end this communication Binder.

BR_REPLY: the Binder driver sends a response message to the client; for non-oneway transaction, when the message is received, the Binder communication is completed completely

Rule: BC_TRANSACTION + BC_REPLY = BR_TRANSACTION_COMPLETE + BR_DEAD_REPLY + BR_FAILED_REPLY

2.10.1 IPC.executeCommand

In the remaining BR_ commands.

2.11 IPC.talkWithDriver

Binder_write_read structure is used to exchange data with Binder devices, and communicates with mDriverFD through ioctl. It is a real process of data reading and writing interaction with Binder drivers. The ioctl () method is finally called to the Binder_ioctl () method through syscall.

III. Binder driver3.1 binder_ioctl

[→ Binder.c]

The parameter cmd=BINDER_WRITE_READ passed by [Section 2.11]

First, get the corresponding binder_proc structure according to the passed file handle pointer, and then find the binder_thread. If the current thread has joined the thread queue of proc, it will return directly, if it does not exist, create binder_thread, and add the current thread to the current proc.

When the return value is-ENOMEM, it means that there is not enough memory, and the creation of a binder_thread object often fails.

When the return value is-EINVAL, it means that the CMD command parameter is invalid

3.2 binder_ioctl_write_read

At this point, arg is a binder_write_read structure, and the mOut data is stored in write_buffer, so write_size > 0, but at this time read_size=0. First, copy the user-space bwr structure to kernel space, and then perform the binder_thread_write () operation.

3.3 binder_thread_write

Keep getting cmd from the address that binder_buffer points to, and when there is only BC_TRANSACTION or BC_REPLY, binder_transaction () is called to handle the transaction.

3.4 binder_transaction

When BC_TRANSACTION is sent, reply=0 at this time.

Main functions:

Process of querying the target process: handle → binder_ref → binder_node → binder_proc

Add BINDER_WORK_TRANSACTION to the target queue target_list, first initiate a transaction, the target queue is listed as target_proc- > todo, and when a reply transaction is a non-reply transaction with target_thread- > todo; oneway, it is target_node- > async_todo.

Add BINDER_WORK_TRANSACTION_COMPLETE to the todo queue of the current thread

At this point, the todo queue of the current thread already has a transaction, and then it will enter binder_thread_read () to process the related transaction.

3.5 binder_thread_read

When the BINDER_WORK_TRANSACTION_COMPLETE is received, the command BR_TRANSACTION_COMPLETE is written back to user space.

When you receive a BINDER_WORK_TRANSACTION command, write the command BR_TRANSACTION or BR_TRANSACTION back to user space.

four。 Back to user space 4.1 where to go

After executing the binder_thread_write method, write BINDER_WORK_TRANSACTION_COMPLETE to the current thread first through binder_transaction ().

When bwr.read_size > 0, go back to the binder_ioctl_write_read method and start executing binder_thread_read ()

In the binder_thread_read () method, you will get the cmd=BR_TRANSACTION_COMPLETE, and then write the cmd and data back to user space

Once the Binder_ioctl is completed, then the user-space method talkWithDriver () is called back, and the data is written to mIn.

When the mIn has readable data, go back to the waitForResponse () method and complete the BR_TRANSACTION_COMPLETE process.

Then fall back to the transact () method, for the operation of oneway, the Binder communication is completed, otherwise you still have to wait for the return of the Binder server.

For the startService process, obviously there is no way to specify the oneway, so the initiator process will continue to stay in the waitForResponse () method, waiting to receive the BR_REPLY message. Because in the previous binder_transaction procedure, in addition to writing BINDER_WORK_TRANSACTION_COMPLETE to your thread, you also wrote BINDER_WORK_TRANSACTION commands to the target process (in this case, system_server). At this time, once the binder thread of the system_server process is idle, it stays in the binder_thread_read () method to handle the new transaction of the process / thread, receives the BINDER_WORK_TRANSACTION command, and generates the command BR_TRANSACTION after binder_thread_read (). The same process.

Next, the system_server binder thread executes the flow all the time: IPC.joinThreadPool-> IPC.getAndExecuteCommand () → IPC.talkWithDriver (), but after talkWithDriver receives the transaction, it goes into IPC.executeCommand (), and then starts with executeCommand.

4.2 IPC.executeCommand

For the oneway scene, it's all over.

For non-oneway, that is, the communication process that requires reply, send a BC_REPLY command to the Binder driver

4.3 BBinder.transact

[→ Binder.cpp:: BBinder]

4.4 JavaBBinder.onTransact

[→ android_util_Binder.cpp]

Remember the AndroidRuntime::startReg process, one of which is register_android_os_Binder (), which refers to gBinderOffsets.mExecTransact as the execTransact () method in Binder.java. For details, see the initialization process in section 2 of the Binder series 7-framework layer analysis article.

In addition, here mObject is in the service registration addService process, and the writeStrongBinder method is called, passing the Binder object into the parameters of the JavaBBinder constructor, and finally assigning the value to mObject. In this communication process, Object is the ActivityManagerNative object.

Here the stars change, from the C++ code back to the Java code. Enter AMN.execTransact, since AMN continues in the Binder object, then enter Binder.execTransact

4.5 Binder.execTransact

[Binder.java]

When RemoteException, RuntimeException, OutOfMemoryError occur, exceptions are passed to the caller in the case of non-oneway.

4.6 AMN.onTransact

[→ ActivityManagerNative.java]

4.7 AMS.startService

After thousands of mountains and rivers, I finally entered the AMS.startService. When system_server receives the BR_TRANSACTION process, it goes through a similar process to inform the app process that service startup is complete. The process is basically the same, so it will no longer be carried out here.

At this point, the study on "how to master ANDROID BINDER communication architecture" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.