Understanding binder in android

  • Published on
    07-Jul-2015

  • View
    362

  • Download
    1

DESCRIPTION

Binder, is the android-specific inter-process communication mechanism,

Transcript

1. Understanding Binder in AndroidHaifeng Li2014-9-2 2. OutlineBackgroundWhat is BinderBinder Communication ModelTerminologyBinder Software StackClient(user space)Binder driver (Kernel Space)Service(user space) 3. BackgroundWhat is Binder?An Inter-process communication system for developing object-oriented OS services.clientserverData 4. Binder Communication ModelUser SpaceKernel SpaceCclientserviceBinder Driverioctl/open/...ioctl/open/... mInmOutioctl/open/... mInmOutmInmOutService Manager/system/bin/servicemanagerCGet ServiceAdd ServiceService 1 handle 1Service 2 handle 2... 5. TerminologyService HandleRemote BinderLocal BinderBinder nodeBinder referenceService Manager(Context Manager)Its handle is 0 in all binder client and server.Binder DriverRemote Binder/HandleLocal BinderBinder NodeBinder ref. 6. IPC Software StackApp1 serviceProxy(BpBinder) Stub(BnBinder)IPCThreadState IPCThreadStateBinder ModuleUser SpaceKernel SpaceClient Server123 4561. BpBinder(n) -> transact(OP, data, &reply)2. IPCThreadState::transact(handle, OP, data, reply)3. ioctl(binder_fd, BINDER_OPERATION, &bwr)4. IPCThreadState::getAndExecuteCommand()5. Bnxxx::onTransact(OP, data, reply) 7. Client(user space) Initialization Call system call open(), which is binder_open in kernel. Open /dev/binder fileand get a file description. Create some key data structures. mmap 1MB-8KB virtual space for data transaction by binder_mmap in kernel. Get handle of service from service manager Sent request to Service by BpBinder(handle) Data transact to kernel by IPCThreadState.App1 serviceProxy(BpBinder) Stub(BnBinder)IPCThreadState IPCThreadStateBinder ModuleUser SpaceKernel SpaceClient Server123 456 8. Data Transaction in Client(1)Package in Client102 virtual void Client::Foo(int32_t push_data) {103 Parcel data, reply;104 data.writeInterfaceToken(IDemo::getInterfaceDescriptor());105 data.writeInt32(push_data);//writeStrongBinder(service)109110 remote()->transact(OP, data, &reply);Parcel...flat_binder_objectmDataflat_binder_objectmObjectsService 9. Data Transaction in Client(2)Packaged to binder_transaction_dataIPCThreadState::writeTransactionData(int32_t cmd, , int32_t handle, uint32_t code, const Parcel& data)cmd will add to mData.(BC_TRANSACTION, BC_REPLY, Binder Command)Target: target handleCookie: will be define according to handle in binder driverCode: Operation of client.Offsets could help the binder driver to process binder object reference.Parcel...flat_binder_objectmDataflat_binder_objectmObjectstargetcookiecode... data.ptr.bufferdata.ptr.offsets... binder_transaction_data 10. Data Transaction in Client(3)Binder Command(User->Driver)Binder Thread Support: BC_REGISTER_LOOPER, BC_ENTER LOOPER,BC_EXIT_LOOPERBinder Transactions: BC_TRANSACTION, BC_REPLYFurther Mechanism: BC_INCREFS, BC_RELEASE , BC_DECREFS, BC_REQUEST_DEATH_NOTIFICIATION, BC_CLEAR_DEATH_NOTIFICATION, BC_DEAD_BINDER_DONE,Binder Return Command (Driver -> User)Binder Thread Support: BR_SPAWN_LOOPERBinder Transactions: BR_TRANSACTION, BR_REPLYFurther Mechanism: BR_INCREFS,BR_ACQUIRE, BR_RELEASE , BR_DECREFS, BR_CLEAR_DEATH_NOTIFICATION_DONE, ClientServerDriverBC_TRANSACTIONBR_TRANSACTIONBC_REPLYBR_REPLYBC_FREE_BUFFERBC_FREE_BUFFER 11. Data Transaction in Client(4)Repackage to Parcel(mOut)Each working thread has two parcel: mOut and mIn. mOut is for write buffer, mIn for read buffer.Parcelcmdbinder_transactin_datamDatawrite_sizeWrite_bufferRead_sizeRead_bufferbinder_write_read 12. OutlineBackgroundClient(user space)Binder driver (Kernel Space)Service(user space) App1 serviceProxy(BpBinder) Stub(BnBinder)IPCThreadState IPCThreadStateBinder ModuleUser SpaceKernel SpaceClient Server123 456 13. Binder Driver:Binder ProtocolThe protocol used for ioctl() system call.BINDER_WRITE_READBINDER_SET_MAX_THREADSBINDER_SET_CONTEXT_MGRBINDER_THREAD_EXITBINDER_VERSIONBINDER_SET_IDLE_TIMEOUT 14. Key Data Structure (1)Binder DriverProcess 1 Process 2 Process 3binder_proc binder_proc binder_procthreads node refs_by_desc refs_by_node The binder_proc is mapped to process by 1:1. It is created on binder_open(). All binder_proc are listed in binder_procs. The binder_proc has 4 red-black tree. The binder_thread represents a working thread, inserted into threads rbtree. The binder_node represents a service, inserted into node rbtree. refs_by_desc and refs_by_node represent reference to a proc_node. 15. Key Data Structure (2)User spaceKernel spaceBpBinderRemote BinderBBinderLocal Binderbinder_procnoderefs_by_nodebinder_procnoderefs_by_nodebinder_refbinder_node 16. Key Data Structure (3)... todothreadbinder_procbinder_threadtodobinder_workbinder_workbinder_workbinder_work... ... binder_transactionbinder_transaction 17. Input Data FormatParcelParcelwrite_sizewrite_bufferread_sizeread_bufferbinder_write_readbufferdata_sizeoffsets... binder_transaction_datacodecookiehandleoffset 1offset 2... ... flat_binder_objectflat_binder_objectBC_TRANSACTIONBC_XXXXxxx data structmOut... headIPCThreadStateClient 18. Transaction in Binder Client (1)1. Copy binder_write_read from user space2. Copy xxx data to kernel space. Iterate the items: Get Binder command from write_buffer(BC_XXX). Get target thread/proc/node by handle. Allocate binder_buffer from target space, and copy effective data. Build a session(build_transaction). Mount the session to target_threads todo list. Mount a BINDER_WORK_TRANSACTION_COMPLETE binder_work to source thread Wake up corresponding thread.ParcelParcelwrite_sizewrite_bufferread_sizeread_bufferbinder_write_readbufferdata_sizeoffsets...binder_transaction_datacodecookiehandleoffset 1offset 2......flat_binder_objectflat_binder_objectBC_TRANSACTIONBC_XXXXxxx data structmOut...headIPCThreadState Client12 19. Transaction in Binder Client (2)Target SpacedataCopyParcelParcelwrite_sizewrite_bufferread_sizeread_bufferbinder_write_readbufferdata_sizeoffsets... binder_transaction_datacodecookiehandleoffset 1offset 2... ... flat_binder_objectflat_binder_objectBC_TRANSACTIONBC_XXXXxxx data structmOut... headIPCThreadStateClientbufferpriorityoffsetssender_euidbinder_transactioncodeto_threadto_procdata... offsets_sizedata_sizetarget_nodebinder_bufferOffsets[] Copy 20. Transaction in Binder -- Server1.Server thread wake up and get a binder_work(binder_transaction) from todo list2.Build a binder_transaction_data from binder_transaction3.Set priority of current thread of client.4.The buffer and offsets will be virtual addressVirtual address = kernel address + address offset5.Copy binder_transaction_data to mIn6.Return from kernel7.IPCThreadState iternate the command and data.For BR_TRANSACTION, call stubs onTransact function,which will call server service function finally.Target Spacedatabufferpriorityoffsetssender_euidbinder_transactioncodeto_threadto_procdata... offsets_sizedata_sizetarget_nodebinder_bufferOffsets[] bufferdata_sizeoffsets... binder_transaction_datacodecookiehandle Kernel Space write_sizewrite_bufferread_sizeread_bufferbinder_write_readParcelmInBR_NOOPDatabinder_transaction_dataBR_TRANSACTIONCopy to user User Space 21. Transaction stack(1)The stack is for recording transaction session.Commonly, to_parent and from_parent is null. But, when the transaction rely on other session, what will happen?The session in B will lost.A(list_head)todoBinder_thread BBinder_thread transaction_stackwait queue... (list_head)todotransaction_stackwait queue... to_parentfrom_parent... sender_euidbinder_transaction... to_threadtodo 22. Transaction stack(2)For example, A -> B, B->C, C->A 23. Binder Workflow

Recommended

View more >