binder传输机制

最新推荐文章于 2025-06-08 21:11:03 发布

原创最新推荐文章于 2025-06-08 21:11:03 发布 · 580 阅读

4 ·

CC 4.0 BY-SA版权

文章标签：

#binder通信 #binder数据结构 #binder驱动 #binder源码分析binder使用服务

本文详细解析了BpBinder调用BBinder的过程，包括客户端如何通过BpGoodbyeService发起请求，以及请求如何被封装并通过Binder驱动传递给服务端。深入探讨了Binder通信机制中的关键组件和数据结构。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

本节讲述BpBinder调用BBinder的过程，我们以client使用server提供的服务源码来分析。假设server向serviceManager注册了Goodbye服务（binder初始化有说），client获取了Goodbye服务。

client应用程序调用代理类对象方法BpGoodbyeService::saygoodbye_to("android")

int saygoodbye_to(const char *name) { /* 构造/发送数据 */ Parcel data, reply; int exception; data.writeInt32(0); data.writeString16(String16("IGoodbyeService")); data.writeString16(String16(name)); //把数据发向驱动 remote()->transact(GOODBYE_SVR_CMD_SAYGOODBYE_TO, data, &reply); //解释返回的数据 exception = reply.readInt32(); if (exception) return -1; else return reply.readInt32(); }

Parcel对象提供了很多方法去封装数据到缓冲区，或者读取缓冲区的数据，注意在Parcel缓冲区写入字符串会先写入字符串的长度。

data的缓冲区是这样分布的：

封装好数据后调用remote()->transact()。前面我们说过remote()返回的是binder引用对象Bpbinder，所以remote()->transact()就会调用到BpBinder的transact（）函数。

status_t BpBinder::transact( uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) { // Once a binder has died, it will never come back to life. if (mAlive) { //调用binder线程对象transact方法 status_t status = IPCThreadState::self()->transact( mHandle, code, data, reply, flags); if (status == DEAD_OBJECT) mAlive = 0; return status; } return DEAD_OBJECT; }

BpBinder::transact（）会调用binder线程对象transact函数，注意参数它增加了一个mHandle参数，也就是binder引用对象的handle值。这里它对binder实体对象BBinder的引用编号为1（handle=1）。

status_t IPCThreadState::transact(int32_t handle, uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) { status_t err = data.errorCheck(); flags |= TF_ACCEPT_FDS; ... if (err == NO_ERROR) { //封装数据 err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL); } if ((flags & TF_ONE_WAY) == 0) { if (reply) { err = waitForResponse(reply); } else { Parcel fakeReply; err = waitForResponse(&fakeReply); } } else { err = waitForResponse(NULL, NULL); } return err; }

IPCThreadState::transact（）会有两个步骤

1、writeTransactionData（）封装数据

2、waitForResponse（）发送数据并等待回复

1、writeTransactionData（）

status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags, int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer) { binder_transaction_data tr; tr.target.ptr = 0; /* Don't pass uninitialized stack data to a remote process */ tr.target.handle = handle; tr.code = code; tr.flags = binderFlags; tr.cookie = 0; tr.sender_pid = 0; tr.sender_euid = 0; const status_t err = data.errorCheck(); if (err == NO_ERROR) { tr.data_size = data.ipcDataSize(); // tr.data.ptr.buffer = data.ipcData(); tr.offsets_size = data.ipcObjectsCount()*sizeof(binder_size_t); tr.data.ptr.offsets = data.ipcObjects(); } else if (statusBuffer) { tr.flags |= TF_STATUS_CODE; *statusBuffer = err; tr.data_size = sizeof(status_t); tr.data.ptr.buffer = reinterpret_cast<uintptr_t>(statusBuffer); tr.offsets_size = 0; tr.data.ptr.offsets = 0; } else { return (mLastError = err); } mOut.writeInt32(cmd); //cmd = BC_TRANSACTION mOut.write(&tr, sizeof(tr)); return NO_ERROR; } </uintptr_t>

继续封装参数的数据到线程缓冲区，注意参数data和线程缓冲区mout都是Parcel对象。

mOut的缓冲区是这样分布的：

2、waitForResponse（）

status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult) { int32_t cmd; int32_t err; while (1) { if ((err=talkWithDriver()) < NO_ERROR) break; cmd = mIn.readInt32(); switch (cmd) { case BR_TRANSACTION_COMPLETE: ... break; case BR_DEAD_REPLY: ... goto finish; case BR_FAILED_REPLY: ... goto finish; case BR_ACQUIRE_RESULT: ... goto finish; case BR_REPLY: ... goto finish; default: err = executeCommand(cmd); if (err != NO_ERROR) goto finish break; } } finish: if (err != NO_ERROR) { if (acquireResult) *acquireResult = err; if (reply) reply->setError(err); mLastError = err; } return err; } status_t IPCThreadState::executeCommand(int32_t cmd) { ... switch (cmd) { case BR_ERROR: ... break; case BR_OK: ... break; case BR_ACQUIRE: ... break; case BR_RELEASE: ... break; case BR_INCREFS: ... break; case BR_DECREFS: ... break; case BR_ATTEMPT_ACQUIRE: ... break; case BR_TRANSACTION: ... break; case BR_DEAD_BINDER: ... break; case BR_CLEAR_DEATH_NOTIFICATION_DONE: ... break; case BR_FINISHED: ... break; case BR_NOOP: ... break; case BR_SPAWN_LOOPER: ... break; default: result = UNKNOWN_ERROR; break; } ... return result; }

waitForResponse会在死循环通过talkWithDriver向驱动发送数据，并在talkWithDriver里面阻塞，直到有数据返回，然后通过case-by-case解释读到的cmd。要注意很多返回的cmd处理只是简单的break处理，然后循环talkWithDriver再向驱动发送数据，阻塞等待驱动返回的数据，直到解释goto finish的命令才结束死循环。

再看talkWithDriver把线程缓冲区mout的数据封装成binder_write_read 结构体发送到驱动

status_t IPCThreadState::talkWithDriver(bool doReceive) { binder_write_read bwr; // needRead = true const bool needRead = mIn.dataPosition() >= mIn.dataSize(); //doReceive默认为true const size_t outAvail = (!doReceive || needRead) ? mOut.dataSize() : 0; //写入驱动的数据大小 bwr.write_size = outAvail; //写入驱动的数据起始地址 bwr.write_buffer = (uintptr_t)mOut.data(); / This is what we'll read. if (doReceive && needRead) { //储存驱动返回数据的容量，之前设置为255 bwr.read_size = mIn.dataCapacity(); //储存驱动返回数据的起始地址 bwr.read_buffer = (uintptr_t)mIn.data(); } else { bwr.read_size = 0; bwr.read_buffer = 0; } bwr.write_consumed = 0; bwr.read_consumed = 0; ... if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0) err = NO_ERROR; if (bwr.read_consumed > 0) { //用Parcel解释驱动返回的数据 mIn.setDataSize(bwr.read_consumed); mIn.setDataPosition(0); } ... }

它最终会通过ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr）发送数据到驱动，这个线程阻塞到这里。直到驱动返回，返回数据的就在bwr.read_buffer缓冲区，bwr.read_consumed是返回数据的长度。可以看到它把数据放到reply缓冲区，reply依然是Parcel对象。

总结为图：

ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr）

client进入内核空间，调用到binder驱动的binder_ioctl。cmd为BINDER_WRITE_READ，参数bwr.write_size 和 bwr.read_size都大于0，所有依次调用

1、binder_thread_write（）

2、binder_thread_read（）

static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) { int ret; //这里获取到client的binder_proc结构体 struct binder_proc *proc = filp->private_data; //在文件描述符私有数据获取binder_open记录的binder_proc //cmd为BINDER_WRITE_READ //size 根据宏_IOC_SIZE计算出来 unsigned int size = _IOC_SIZE(cmd); //用户空间的命令字段 void __user *ubuf = (void __user *)arg; //用户空间的参数字段 binder_lock(__func__); thread = binder_get_thread(proc); //获取调用ioctl的线程结构体 switch (cmd) { case BINDER_WRITE_READ: { struct binder_write_read bwr; //BINDER_WRITE_READ参数一定是binder_write_read if (size != sizeof(struct binder_write_read)) { ret = -EINVAL; goto err; } //复制用户空间的数据 copy_from_user(&bwr, ubuf, sizeof(bwr)); if (bwr.write_size > 0) { binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed); } if (bwr.read_size > 0) { binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK); //进程的proc->todo事务链表不为空，唤醒进程proc->wait等待队列中的线程去处理 if (!list_empty(&proc->todo)) wake_up_interruptible(&proc->wait); //把同样的参数复制到用户空间 copy_to_user(ubuf, &bwr, sizeof(bwr)); } } ... } if (thread) thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN; binder_unlock(__func__); return ret; //返回到用户空间 }

1 binder_thread_write（）

int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread, void __user *buffer, int size, signed long *consumed) { uint32_t cmd; //用户空间binder_write_read.write_buffer的地址，因为*consumed = 0 void __user *ptr = buffer + *consumed; //用户空间binder_write_read.write_buffer + binder_write_read.write_size的地址 void __user *end = buffer + size; while (ptr < end && thread->return_error == BR_OK) { //取出命令cmd = BC_TRANSACTION if (get_user(cmd, (uint32_t __user *)ptr)) return -EFAULT; ptr += sizeof(uint32_t); switch (cmd) { ... case BC_TRANSACTION: case BC_REPLY: { struct binder_transaction_data tr; if (copy_from_user(&tr, ptr, sizeof(tr))) return -EFAULT; //ptr += sizeof(tr), ptr == end ptr += sizeof(tr); binder_transaction(proc, thread, &tr, cmd == BC_REPLY); break; } ... } //bwr.write_consumed长度，实制写入驱动的数据长度 *consumed = ptr - buffer; } return 0; }

binder_transaction

static void binder_transaction(struct binder_proc *proc, struct binder_thread *thread, struct binder_transaction_data *tr, int reply) { struct binder_transaction *t; struct binder_work *tcomplete; size_t *offp, *off_end; size_t off_min; struct binder_proc *target_proc; struct binder_thread *target_thread = NULL; struct binder_node *target_node = NULL; struct list_head *target_list; wait_queue_head_t *target_wait; struct binder_transaction *in_reply_to = NULL; ... if (reply) { ... } else { if (tr->target.handle) { //根据handle找到binder引用在驱动中的表述 struct binder_ref *ref; ref = binder_get_ref(proc, tr->target.handle); //binder引用记录了对应的binder实体 target_node = ref->node; } else { ... } //得到目标进程的binder_proc结构体，也就是server target_proc = target_node->proc; //此时thread->transaction_stack还没有数据，为NULL if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) { //这里涉及线程栈对消息处理的优化，尽量把消息发送到目标进程中的线程todo链表，找不到的话只能把消息发到目标目标进程的todo链表 ... } } //找不到目标线程，只能将就把传输事务放在目标进程的todo链表 if (target_thread) { target_list = &target_thread->todo; target_wait = &target_thread->wait; } else { //记录目标todo链表，和对应的等待队列 target_list = &target_proc->todo; target_wait = &target_proc->wait; } //创建一个新的传输事务结构体 t = kzalloc(sizeof(*t), GFP_KERNEL); tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL); ... //记录源线程 if (!reply && !(tr->flags & TF_ONE_WAY)) t->from = thread; else t->from = NULL; //记录目标进程线程 t->sender_euid = proc->tsk->cred->euid; t->to_proc = target_proc; t->to_thread = target_thread; t->code = tr->code; t->flags = tr->flags; t->priority = task_nice(current); //为目标进程分配内存 //binder的内存管理为用户空间和内核空间做了映射，在内核空间把数据复制到该内存块， //不需要copy_to_user用户空间就能直接访问 t->buffer = binder_alloc_buf(target_proc, tr->data_size, tr->offsets_size, !reply && (t->flags & TF_ONE_WAY)); //不允许释放这段内存，等待目标进程处理完这些数据就会允许释放这段内存 t->buffer->allow_user_free = 0; t->buffer->debug_id = t->debug_id; t->buffer->transaction = t; t->buffer->target_node = target_node; ... //指向刚为目标进程分配内存的地址+binder_transaction_data.data_size的长度 offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *))); //复制client传输的有效负载数据 copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size); //tr->offsets_size = 0 copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size); ... if (reply) { ... } else if (!(t->flags & TF_ONE_WAY)) { //这个事务需要回复 t->need_reply = 1; //事务入线程栈 t->from_parent = thread->transaction_stack; thread->transaction_stack = t; } else { ... } //把事务添加到目标进程server的todo链表 t->work.type = BINDER_WORK_TRANSACTION; list_add_tail(&t->work.entry, target_list); //事务传输完毕结果添加到client进程的等待队列 tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; list_add_tail(&tcomplete->entry, &thread->todo); //唤醒等待队列 if (target_wait) wake_up_interruptible(target_wait); return; }

其实server就是在binder_thread_read上wait_event_interruptible_exclusive上睡眠了，binder_transaction把它唤醒了，继续执行。我们先忽略client的binder_thread_read，直接看看server的binder_thread_read。

binder_thread_read（）

static int binder_thread_read(struct binder_proc *proc, struct binder_thread *thread, void __user *buffer, int size, signed long *consumed, int non_block) { //用户空间binder_write_read.read_buffer的地址 void __user *ptr = buffer + *consumed; //用户空间binder_write_read.read_buffer + binder_write_read.read_size的地址 void __user *end = buffer + size; int ret = 0; int wait_for_proc_work; if (*consumed == 0) { if (put_user(BR_NOOP, (uint32_t __user *)ptr)) return -EFAULT; //ptr地址+4 ptr += sizeof(uint32_t); } retry: //线程栈为空同时线程事务队列为空 wait_for_proc_work 为ture wait_for_proc_work = thread->transaction_stack == NULL && list_empty(&thread->todo); ... if (wait_for_proc_work) { ... //设置处理优先级 binder_set_nice(proc->default_priority); //默认以阻塞方式打开驱动 if (non_block) { if (!binder_has_proc_work(proc, thread)) ret = -EAGAIN; } else ret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread)); } else { if (non_block) { if (!binder_has_thread_work(thread)) ret = -EAGAIN; } else ret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread)); } ... while (1) { uint32_t cmd; struct binder_transaction_data tr; struct binder_work *w; struct binder_transaction *t = NULL; if (!list_empty(&thread->todo)) w = list_first_entry(&thread->todo, struct binder_work, entry); //把client在binder_transaction中组织的事务BINDER_WORK_TRANSACTION取出来 else if (!list_empty(&proc->todo) && wait_for_proc_work) w = list_first_entry(&proc->todo, struct binder_work, entry); else { if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */ goto retry; break; } ... switch (w->type) { case BINDER_WORK_TRANSACTION: { //得到client在binder_transaction中组织的事务t t = container_of(w, struct binder_transaction, work); }break; case BINDER_WORK_TRANSACTION_COMPLETE: { cmd = BR_TRANSACTION_COMPLETE; if (put_user(cmd, (uint32_t __user *)ptr)) return -EFAULT; ptr += sizeof(uint32_t); //把tcomplete节点从thread->todo链表删掉 list_del(&w->entry); kfree(w); ... }break; ... } //t 还没有赋值，继续执行while if (!t) continue; //根据tr重新组织t if (t->buffer->target_node) { struct binder_node *target_node = t->buffer->target_node; tr.target.ptr = target_node->ptr; tr.cookie = target_node->cookie; t->saved_priority = task_nice(current); if (t->priority < target_node->min_priority && !(t->flags & TF_ONE_WAY)) binder_set_nice(t->priority); else if (!(t->flags & TF_ONE_WAY) || t->saved_priority > target_node->min_priority) binder_set_nice(target_node->min_priority); cmd = BR_TRANSACTION; } else { tr.target.ptr = NULL; tr.cookie = NULL; cmd = BR_REPLY; } tr.code = t->code; tr.flags = t->flags; tr.sender_euid = t->sender_euid; if (t->from) { struct task_struct *sender = t->from->proc->tsk; tr.sender_pid = task_tgid_nr_ns(sender, current->nsproxy->pid_ns); } else { tr.sender_pid = 0; } tr.data_size = t->buffer->data_size; tr.offsets_size = t->buffer->offsets_size; tr.data.ptr.buffer = (void *)t->buffer->data + proc->user_buffer_offset; tr.data.ptr.offsets = tr.data.ptr.buffer + ALIGN(t->buffer->data_size, sizeof(void *)); if (put_user(cmd, (uint32_t __user *)ptr)) return -EFAULT; ptr += sizeof(uint32_t); if (copy_to_user(ptr, &tr, sizeof(tr))) return -EFAULT; ptr += sizeof(tr); //处理完这个事务，删掉 list_del(&t->work.entry); //允许释放内存 t->buffer->allow_user_free = 1; if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) { //入线程栈 t->to_parent = thread->transaction_stack; t->to_thread = thread; thread->transaction_stack = t; } else { t->buffer->transaction = NULL; kfree(t); binder_stats_deleted(BINDER_STAT_TRANSACTION); } break; } done: *consumed = ptr - buffer; ... //返回到应用层 return 0; }

client在用户空间把binder_transaction_data传给client内核空间，client内核空间在binder_transaction函数里面把binder_transaction_data整理成一个事务binder_transaction结构体，并通过链表链入到server内核空间的proc->todo事务队列，并唤醒server内核空间的proc->wait等待队列。server会继续在binder_thread_read函数wait_event_interruptible_exclusive上唤醒并继续执行。server把proc->todo链表中的事务binder_transaction取出来，并重新组织binder_transaction_data传递给server的用户空间。要注意，client用户空间结构体binder_transaction_data.target.handle为Bpbinder的handle值，到了server的内核空间binder_thread_read，server把binder_transaction_data.target.cookie附上值，cookie值正是BBinder在server用户空间中的地址。

待续。。。