Skip to main content
 首页 » 编程设计

Android Binder学习——C实现

2022年07月19日53duanxz

注:基于Android5.1版本,Tiny4412平台。

一、学习笔记

1.Binder的核心是IPC和RPC
IPC: (Inter-Process Communication)进程间通信,指至少两个进程或线程间传送数据或信号的一些技术或方法。
RPC: (Remote-Process Communication)远程过程调用,类似于调用其它进程的函数。

ICP三要素:
源:A
目的:
B向ServiceManager注册led服务
A向ServiceManager查询led服务得到一个handle。
数据:buf[512]

RPC:
调用哪个函数:Server的函数编号
传给它什么参数:通过IPC的buf[]进行传输(使用的是binder驱动)。
返回结果:远端执行完返回值

2.系统自带的C实现的Binder程序:frameworks/native/cmds/servicemanager
service_manager.c 充当SM的角色,管理所有的Service,其本身也是一个服务。
binder.c 封装好的C库
bctest.c 半成品,演示怎样注册服务

3.int svcmgr_publish(struct binder_state *bs, uint32_t target, const char *name, void *ptr)
如果两个service的注册函数svcmgr_publish()的最后一个参数值相同,那么会报错。
正常情况下kill掉service_manager的时候,所有的service都会收到死亡通知,然后从链表中删除掉。但是若两个service指定为相同的ptr,
那么下次再重启service_manager的时候它会报这个服务已经存在了,由于相同的ptr导致kill掉service_manager时有一个并没有收到死亡通
知,也就不能从链表中删除。

4.binder应该是个内核线程,binder驱动中创建了一个单CPU的工作队列
# ps | grep binder
root 1073 2 0 0 c00a0668 00000000 S binder


5.驱动中数据结构表示
struct binder_ref : 表示引用
binder_node :表示一个Service
binder_proc :表示进程
binder_thread :表示线程的一个线程

6.handle是进程A(Client)对进程B(Service)提供的服务的引用,由handle可以对比desc成员找到binder_ref结构,
其*node成员指向表示某项服务的binder_node结构体,binder_node的proc成员指向表示进程的binder_proc结构体,其内部指向对应的进程
从而找到目的进程, 然后把数据给到目的进程的todo链表上,然后唤醒目的进程。

7.handler是per-process的

8.mmap使用户态可以直接操作内核态的内存。service mmap后,service用户空间就可以直接使用内核buff.所以binder通信只需要client端的
一次copy_from_user()一次拷贝。但是数据类型cmd还是要拷贝两次的。

9.发给驱动的命令和驱动发给用户的命令是不同的
A进程给B进程发送数据:A进程使用BC_TRANSACTION发送,经过binder驱动转换,B进程接收到是BR_TRANSACTION
B进程给A进程回复数据:B进程使用BC_REPLY发送,经过binder驱动转换,A进程接收到是BR_REPLY
只有这四种会涉及2个进程,其它的cmd都只涉及应用和驱动的通信。

10.每个进程在open("/dev/binder")时会给它创建一个binder_proc结构,每个线程在调用ioctl()的时候都会创建一个binder_thread结构。

11.Service可以分为匿名和具名Service. 前者没有注册到ServiceManager, 应用无法通过名字获取到访问该服务的Proxy对象。


12.但是创建子进程不能使用fork(),因为在service_manager.c中binder_open()中mmap()调用内核的binder_mmap():
这里指定了VM_DONTCOPY,在用户空间中使用fork()创建的子进程无法访问到service_manager.c中mmap()的内存 vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE; 只能使用pthread_create(),它会把mmap()的空间也拷贝过来。(Android11上好像没有这个flag了)

13.创建多线程Service读取到驱动发出的BR_SPAWN_LOOPER后使用pthread_create()创建多线程。驱动处理不过来的时候就会向Service发送这个
请求命令。驱动判断处理不过来的方法是Service端没有线程在阻塞等待。Service可以设置最大线程数量。

14.addService执行流程

(1) test_service中为每个service构造flat_binder_object结构体,其type=BINDER_TYPE_BINDER表示让binder驱动为我这个Service构造一个
binder_node结构体,每个不同的服务的*binder或cookie域不同。
(2) ioctl(BINDER_WRITE_READ)来发送数据。数据中包括flat_binder_object结构体和服务的名字,数据中的handle=0表示发给SM。
(3) binder驱动中为每一个flat_binder_object构造一个binder_node结构体,它表示一个Service。
(4) binder驱动根据handle=0找到SM,然后把数据发给SM。并为SM构造binder_ref结构体。
(5) SM应用程序中收到数据后记录下Service的名字和handle(desc)值,记录的数据保存在svlist链表上。

15.getService执行流程

(1) test_client构造数据,name为要获取的Service的名字,handle为0表示向SM获取服务。
(2) 调用ioctl(BINDER_WRITE_READ)将数据发给binder驱动
(3) binder驱动根据handle=0找到SM进程,然后把数据发给SM进程
(4) SM进程从svlist链表中根据名字找到对应Service的handle值,然后将其写给驱动(目的是发给Client)。写给驱动的数据格式也是一个
flat_binder_object结构体,其type=BINDER_TYPE_HANDLE表示让驱动为client进程创建一个binder_ref结构体。
(5) 驱动发现收到的数据中有flat_binder_object结构体且其type=BINDER_TYPE_HANDLE就会为Client进程创建一个binder_ref结构体,
其handle为数据中的handle,node域指向要获得Service的binder_node结构体。

16.client使用Service的执行流程

(1) 构造数据,参数:code表示调用哪个函数,handle表示使用哪个Service
(2) 使用ioctl(BINDER_WRITE_READ)将数据发给驱动
(3) 驱动中取出数据,根据handle找到binder_ref结构体(对比desc域),根据其node域找到binder_node结构体(表示一个Service)从而找到
对应的Service,然后把数据传给这个Service进程,并设置数据中的ptr和cookie为binder_node的ptr和cookie.
(4) Service进程中根据ptr和cookie值得知Client想调用哪个函数(服务)。

17.mm showcommands 编译,打印出头文件搜索路径等信息

18.Binder系统过程分析

(1)addService("Hello", *ptr),在C实现的Demo中调用bio_put_obj(),将ptr赋值给flat_binder_object.binder,cookie赋值为0。内核中
表示服务的binder_node结构的*ptr和*cookie的值就是由Service应用程序传参控制的,可用于区分不同的Service。

void bio_put_obj(struct binder_io *bio, void *ptr) 
{ 
    /*内核中根据这个结构体创建binder_node结构体*/ 
    struct flat_binder_object *obj; 
 
    obj = bio_alloc_obj(bio); 
    if (!obj) 
        return; 
 
    obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; 
    obj->type = BINDER_TYPE_BINDER; 
    obj->binder = (uintptr_t)ptr; 
    obj->cookie = 0; /*这里的binder和cookie都是由Service决定的*/ 
}

a.binder驱动收到flat_binder_object结构体,且其type = BINDER_TYPE_BINDER(表示Service),就会在内核中创建一个binder_node结构体,
其target.ptr和cookie来自Service传入的flat_binder_object结构体。

b.由于addService()时指定的handle=0,binder驱动会将收到的数据转发给SM进程,并为SM进程构造一个binder_ref结构体,其node指向Hello
Service的binder_node结构体,其desc域为1(假设Hello Servie是系统中第一个向SM注册的服务)表示此Service是第一个注册进SM的服务。SM用
户空间程序会在svlist链表上创建一个svcinfo结构记录下这个Hello服务,其name="hello",handle就等于binder_ref中的desc(就是1)。

(2)getService("hello")

c.cilent向SM获取服务(构造数据handle=0),SM在svlist通过名字"hello"进行查找,找到对应的Hello服务,其handle为1,然后就构造一个flat_binder_object结构体
其type=BINDER_TYPE_HANDLE(表示引用),然后发给驱动。驱动检测数数据中有一个flat_binder_object结构体且type=BINDER_TYPE_HANDLE(表示引用)
就会为Client进程也创建一个binder_ref结构体,其node域指向表示Hello服务的binder_node结构体,其desc为1(假定Hello服务是Client进程中获取
的第一个服务),表示Hello服务是Client获取的第一个服务。然后返回handle=1给到Client用户空间程序,之后Client程序就可以通过handle来使用Hello
服务了。

(3)Client端使用Hello服务

d.构造数据(handle=1, 要使用Service的函数编号,参数),然后发给驱动。驱动根据handle=1在本进程的binder_ref树中找到对应的binder_ref结构体,然后
根据binder_ref.node找到表示Hello服务的binder_node结构体,然后根据binder_node.proc找到Hello服务的binder_proc结构体,然后根据binder_proc.tsk
找到Hello服务进程。然后驱动构造一个binder_transaction_data,并使Hello服务的binder_node.ptr域赋值给binder_transaction_data.target.ptr,
binder_node.cookie赋值给binder_transaction_data.cookie,然后binder驱动把数据发给Hello服务进程。

e.Hello服务进程收到数据解析出binder_transaction_data结构,根据其target.ptr和(或)cookie域知道Client要使用哪个服务(因为一个进程可能注册多个服务,
只不过这个Hello服务进程只注册了一个服务而已)。然后根据binder_transaction_data.code知道Client要调用服务的哪个函数。然后调用对应的函数,并把执行
结果返回给Client。

然后释放buffer。

binder_ref是区分进程的,binder_node表示服务是不区分进程的。用户空间的handle来源于binder_ref,所以它也是per进程的(除了SM的恒为0)。


二、测试Demo

测试Demo来自frameworks/native/cmds/servicemanager下的文件的修改

binder.c(修改支持Service多线程)

/* Copyright 2008 The Android Open Source Project 
 */ 
 
#include <inttypes.h> 
#include <stdio.h> 
#include <stdlib.h> 
#include <errno.h> 
#include <unistd.h> 
#include <fcntl.h> 
#include <sys/mman.h> 
#include <linux/types.h> 
#include<stdbool.h> 
#include <string.h> 
#include <pthread.h> 
 
#include "binder.h" 
 
#define MAX_BIO_SIZE (1 << 30) 
 
#define TRACE 0 
 
#if TRACE 
#define ALOGI(x...) fprintf(stderr, "binder: " x) 
#define ALOGE(x...) fprintf(stderr, "binder: " x) 
#else 
#define ALOGI(x...)  
#define ALOGE(x...)  
#endif 
 
#define LOG_TAG "Binder" 
//#include <cutils/log.h> 
 
void bio_init_from_txn(struct binder_io *io, struct binder_transaction_data *txn); 
 
#if TRACE 
void hexdump(void *_data, size_t len) 
{ 
    unsigned char *data = _data; 
    size_t count; 
 
    for (count = 0; count < len; count++) { 
        if ((count & 15) == 0) 
            fprintf(stderr,"%04zu:", count); 
        fprintf(stderr," %02x %c", *data, 
                (*data < 32) || (*data > 126) ? '.' : *data); 
        data++; 
        if ((count & 15) == 15) 
            fprintf(stderr,"\n"); 
    } 
    if ((count & 15) != 0) 
        fprintf(stderr,"\n"); 
} 
 
void binder_dump_txn(struct binder_transaction_data *txn) 
{ 
    struct flat_binder_object *obj; 
    binder_size_t *offs = (binder_size_t *)(uintptr_t)txn->data.ptr.offsets; 
    size_t count = txn->offsets_size / sizeof(binder_size_t); 
 
    fprintf(stderr,"  target %016"PRIx64"  cookie %016"PRIx64"  code %08x  flags %08x\n", 
            (uint64_t)txn->target.ptr, (uint64_t)txn->cookie, txn->code, txn->flags); 
    fprintf(stderr,"  pid %8d  uid %8d  data %"PRIu64"  offs %"PRIu64"\n", 
            txn->sender_pid, txn->sender_euid, (uint64_t)txn->data_size, (uint64_t)txn->offsets_size); 
    hexdump((void *)(uintptr_t)txn->data.ptr.buffer, txn->data_size); 
    while (count--) { 
        obj = (struct flat_binder_object *) (((char*)(uintptr_t)txn->data.ptr.buffer) + *offs++); 
        fprintf(stderr,"  - type %08x  flags %08x  ptr %016"PRIx64"  cookie %016"PRIx64"\n", 
                obj->type, obj->flags, (uint64_t)obj->binder, (uint64_t)obj->cookie); 
    } 
} 
 
#define NAME(n) case n: return #n 
const char *cmd_name(uint32_t cmd) 
{ 
    switch(cmd) { 
        NAME(BR_NOOP); 
        NAME(BR_TRANSACTION_COMPLETE); 
        NAME(BR_INCREFS); 
        NAME(BR_ACQUIRE); 
        NAME(BR_RELEASE); 
        NAME(BR_DECREFS); 
        NAME(BR_TRANSACTION); 
        NAME(BR_REPLY); 
        NAME(BR_FAILED_REPLY); 
        NAME(BR_DEAD_REPLY); 
        NAME(BR_DEAD_BINDER);         
    default: return "???"; 
    } 
} 
#else 
#define hexdump(a,b) do{} while (0) 
#define binder_dump_txn(txn)  do{} while (0) 
#endif 
 
#define BIO_F_SHARED    0x01  /* needs to be buffer freed */ 
#define BIO_F_OVERFLOW  0x02  /* ran out of space */ 
#define BIO_F_IOERROR   0x04 
#define BIO_F_MALLOCED  0x08  /* needs to be free()'d */ 
 
struct binder_state 
{ 
    int fd; 
    void *mapped; 
    size_t mapsize; 
}; 
 
struct binder_state *binder_open(size_t mapsize) 
{ 
    struct binder_state *bs; 
    struct binder_version vers; 
 
    bs = malloc(sizeof(*bs)); 
    if (!bs) { 
        errno = ENOMEM; 
        return NULL; 
    } 
 
    bs->fd = open("/dev/binder", O_RDWR); 
    if (bs->fd < 0) { 
        fprintf(stderr,"binder: cannot open device (%s)\n", 
                strerror(errno)); 
        goto fail_open; 
    } 
 
    if ((ioctl(bs->fd, BINDER_VERSION, &vers) == -1) || 
        (vers.protocol_version != BINDER_CURRENT_PROTOCOL_VERSION)) { 
        fprintf(stderr, "binder: driver version differs from user space\n"); 
        goto fail_open; 
    } 
 
    bs->mapsize = mapsize; 
    bs->mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0); 
    if (bs->mapped == MAP_FAILED) { 
        fprintf(stderr,"binder: cannot map device (%s)\n", 
                strerror(errno)); 
        goto fail_map; 
    } 
 
    return bs; 
 
fail_map: 
    close(bs->fd); 
fail_open: 
    free(bs); 
    return NULL; 
} 
 
void binder_close(struct binder_state *bs) 
{ 
    munmap(bs->mapped, bs->mapsize); 
    close(bs->fd); 
    free(bs); 
} 
 
int binder_become_context_manager(struct binder_state *bs) 
{ 
    return ioctl(bs->fd, BINDER_SET_CONTEXT_MGR, 0); 
} 
 
int binder_write(struct binder_state *bs, void *data, size_t len) 
{ 
    struct binder_write_read bwr; 
    int res; 
 
    bwr.write_size = len; 
    bwr.write_consumed = 0; 
    bwr.write_buffer = (uintptr_t) data; 
    bwr.read_size = 0; 
    bwr.read_consumed = 0; 
    bwr.read_buffer = 0; 
    res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); 
    if (res < 0) { 
        fprintf(stderr,"binder_write: ioctl failed (%s)\n", 
                strerror(errno)); 
    } 
    return res; 
} 
 
void binder_send_reply(struct binder_state *bs, 
                       struct binder_io *reply, 
                       binder_uintptr_t buffer_to_free, 
                       int status) 
{ 
    struct { 
        uint32_t cmd_free; 
        binder_uintptr_t buffer; 
        uint32_t cmd_reply; 
        struct binder_transaction_data txn; 
    } __attribute__((packed)) data; 
 
    data.cmd_free = BC_FREE_BUFFER; 
    data.buffer = buffer_to_free; 
    data.cmd_reply = BC_REPLY; 
    data.txn.target.ptr = 0; 
    data.txn.cookie = 0; 
    data.txn.code = 0; 
    if (status) { 
        data.txn.flags = TF_STATUS_CODE; 
        data.txn.data_size = sizeof(int); 
        data.txn.offsets_size = 0; 
        data.txn.data.ptr.buffer = (uintptr_t)&status; 
        data.txn.data.ptr.offsets = 0; 
    } else { 
        data.txn.flags = 0; 
        data.txn.data_size = reply->data - reply->data0; 
        data.txn.offsets_size = ((char*) reply->offs) - ((char*) reply->offs0); 
        data.txn.data.ptr.buffer = (uintptr_t)reply->data0; 
        data.txn.data.ptr.offsets = (uintptr_t)reply->offs0; 
    } 
    binder_write(bs, &data, sizeof(data)); 
} 
 
/*这是另一个线程执行函数*/ 
void binder_thread_loop(struct binder_state *bs, binder_handler func) 
{ 
    int res; 
    struct binder_write_read bwr; 
    uint32_t readbuf[32]; 
 
    bwr.write_size = 0; 
    bwr.write_consumed = 0; 
    bwr.write_buffer = 0; 
 
    readbuf[0] = BC_REGISTER_LOOPER; 
    binder_write(bs, readbuf, sizeof(uint32_t)); 
 
    for (;;) { 
        bwr.read_size = sizeof(readbuf); 
        bwr.read_consumed = 0; 
        bwr.read_buffer = (uintptr_t) readbuf; 
 
        res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); 
 
        if (res < 0) { 
            ALOGE("binder_loop: ioctl failed (%s)\n", strerror(errno)); 
            break; 
        } 
 
        res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func); 
        if (res == 0) { 
            ALOGE("binder_loop: unexpected reply?!\n"); 
            break; 
        } 
        if (res < 0) { 
            ALOGE("binder_loop: io error %d %s\n", res, strerror(errno)); 
            break; 
        } 
    } 
} 
 
// struct binder_state *bs, binder_handler func 
struct binder_thread_desc { 
    struct binder_state *bs; 
    binder_handler func; 
}; 
static void * binder_thread_routine(struct binder_thread_desc *btd) 
{ 
    binder_thread_loop(btd->bs, btd->func); 
    return NULL; 
} 
 
int binder_parse(struct binder_state *bs, struct binder_io *bio, 
                 uintptr_t ptr, size_t size, binder_handler func) 
{ 
    int r = 1; 
    uintptr_t end = ptr + (uintptr_t) size; 
 
    while (ptr < end) { 
        uint32_t cmd = *(uint32_t *) ptr; 
        ptr += sizeof(uint32_t); 
#if TRACE 
        fprintf(stderr,"%s:\n", cmd_name(cmd)); 
#endif 
        switch(cmd) { 
        case BR_NOOP: 
            break; 
        case BR_TRANSACTION_COMPLETE: 
            break; 
        case BR_INCREFS: 
        case BR_ACQUIRE: 
        case BR_RELEASE: 
        case BR_DECREFS: 
#if TRACE 
            fprintf(stderr,"  %p, %p\n", (void *)ptr, (void *)(ptr + sizeof(void *))); 
#endif 
            ptr += sizeof(struct binder_ptr_cookie); 
            break; 
        case BR_SPAWN_LOOPER: { 
            /* create new thread */ 
            //if (fork() == 0) { 
            //} 
            pthread_t thread; 
            struct binder_thread_desc btd; 
 
            btd.bs = bs; 
            btd.func = func; 
             
            pthread_create(&thread, NULL, binder_thread_routine, &btd); 
 
            /* in new thread: ioctl(BC_ENTER_LOOPER), enter binder_looper */ 
 
            break; 
        } 
        case BR_TRANSACTION: { 
            struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr; 
            if ((end - ptr) < sizeof(*txn)) { 
                ALOGE("parse: txn too small!\n"); 
                return -1; 
            } 
            binder_dump_txn(txn); 
            if (func) { 
                unsigned rdata[256/4]; 
                struct binder_io msg; 
                struct binder_io reply; 
                int res; 
 
                bio_init(&reply, rdata, sizeof(rdata), 4); 
                bio_init_from_txn(&msg, txn); 
                res = func(bs, txn, &msg, &reply); 
                binder_send_reply(bs, &reply, txn->data.ptr.buffer, res); 
            } 
            ptr += sizeof(*txn); 
            break; 
        } 
        case BR_REPLY: { 
            struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr; 
            if ((end - ptr) < sizeof(*txn)) { 
                ALOGE("parse: reply too small!\n"); 
                return -1; 
            } 
            binder_dump_txn(txn); 
            if (bio) { 
                bio_init_from_txn(bio, txn); 
                bio = 0; 
            } else { 
                /* todo FREE BUFFER */ 
            } 
            ptr += sizeof(*txn); 
            r = 0; 
            break; 
        } 
        case BR_DEAD_BINDER: { 
            struct binder_death *death = (struct binder_death *)(uintptr_t) *(binder_uintptr_t *)ptr; 
            ptr += sizeof(binder_uintptr_t); 
            death->func(bs, death->ptr); 
            break; 
        } 
        case BR_FAILED_REPLY: 
            r = -1; 
            break; 
        case BR_DEAD_REPLY: 
            r = -1; 
            break; 
        default: 
            ALOGE("parse: OOPS %d\n", cmd); 
            return -1; 
        } 
    } 
 
    return r; 
} 
 
void binder_acquire(struct binder_state *bs, uint32_t target) 
{ 
    uint32_t cmd[2]; 
    cmd[0] = BC_ACQUIRE; 
    cmd[1] = target; 
    binder_write(bs, cmd, sizeof(cmd)); 
} 
 
void binder_release(struct binder_state *bs, uint32_t target) 
{ 
    uint32_t cmd[2]; 
    cmd[0] = BC_RELEASE; 
    cmd[1] = target; 
    binder_write(bs, cmd, sizeof(cmd)); 
} 
 
void binder_link_to_death(struct binder_state *bs, uint32_t target, struct binder_death *death) 
{ 
    struct { 
        uint32_t cmd; 
        struct binder_handle_cookie payload; 
    } __attribute__((packed)) data; 
 
    data.cmd = BC_REQUEST_DEATH_NOTIFICATION; 
    data.payload.handle = target; 
    data.payload.cookie = (uintptr_t) death; 
    binder_write(bs, &data, sizeof(data)); 
} 
 
int binder_call(struct binder_state *bs, 
                struct binder_io *msg, struct binder_io *reply, 
                uint32_t target, uint32_t code) 
{ 
    int res; 
    struct binder_write_read bwr; 
    struct { 
        uint32_t cmd; 
        struct binder_transaction_data txn; 
    } __attribute__((packed)) writebuf; 
    unsigned readbuf[32]; 
 
    if (msg->flags & BIO_F_OVERFLOW) { 
        fprintf(stderr,"binder: txn buffer overflow\n"); 
        goto fail; 
    } 
 
    writebuf.cmd = BC_TRANSACTION; 
    writebuf.txn.target.handle = target; 
    writebuf.txn.code = code; 
    writebuf.txn.flags = 0; 
    writebuf.txn.data_size = msg->data - msg->data0; 
    writebuf.txn.offsets_size = ((char*) msg->offs) - ((char*) msg->offs0); 
    writebuf.txn.data.ptr.buffer = (uintptr_t)msg->data0; 
    writebuf.txn.data.ptr.offsets = (uintptr_t)msg->offs0; 
 
    bwr.write_size = sizeof(writebuf); 
    bwr.write_consumed = 0; 
    bwr.write_buffer = (uintptr_t) &writebuf; 
 
    hexdump(msg->data0, msg->data - msg->data0); 
    for (;;) { 
        bwr.read_size = sizeof(readbuf); 
        bwr.read_consumed = 0; 
        bwr.read_buffer = (uintptr_t) readbuf; 
 
        res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); 
 
        if (res < 0) { 
            fprintf(stderr,"binder: ioctl failed (%s)\n", strerror(errno)); 
            goto fail; 
        } 
 
        res = binder_parse(bs, reply, (uintptr_t) readbuf, bwr.read_consumed, 0); 
        if (res == 0) return 0; 
        if (res < 0) goto fail; 
    } 
 
fail: 
    memset(reply, 0, sizeof(*reply)); 
    reply->flags |= BIO_F_IOERROR; 
    return -1; 
} 
 
void binder_set_maxthreads(struct binder_state *bs, int threads) 
{ 
    ioctl(bs->fd, BINDER_SET_MAX_THREADS, &threads); 
} 
 
void binder_loop(struct binder_state *bs, binder_handler func) 
{ 
    int res; 
    struct binder_write_read bwr; 
    uint32_t readbuf[32]; 
 
    bwr.write_size = 0; 
    bwr.write_consumed = 0; 
    bwr.write_buffer = 0; 
 
    readbuf[0] = BC_ENTER_LOOPER; 
    binder_write(bs, readbuf, sizeof(uint32_t)); 
 
    for (;;) { 
        bwr.read_size = sizeof(readbuf); 
        bwr.read_consumed = 0; 
        bwr.read_buffer = (uintptr_t) readbuf; 
 
        res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr); 
 
        if (res < 0) { 
            ALOGE("binder_loop: ioctl failed (%s)\n", strerror(errno)); 
            break; 
        } 
 
        res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func); 
        if (res == 0) { 
            ALOGE("binder_loop: unexpected reply?!\n"); 
            break; 
        } 
        if (res < 0) { 
            ALOGE("binder_loop: io error %d %s\n", res, strerror(errno)); 
            break; 
        } 
    } 
} 
 
void bio_init_from_txn(struct binder_io *bio, struct binder_transaction_data *txn) 
{ 
    bio->data = bio->data0 = (char *)(intptr_t)txn->data.ptr.buffer; 
    bio->offs = bio->offs0 = (binder_size_t *)(intptr_t)txn->data.ptr.offsets; 
    bio->data_avail = txn->data_size; 
    bio->offs_avail = txn->offsets_size / sizeof(size_t); 
    bio->flags = BIO_F_SHARED; 
} 
 
void bio_init(struct binder_io *bio, void *data, 
              size_t maxdata, size_t maxoffs) 
{ 
    size_t n = maxoffs * sizeof(size_t); 
 
    if (n > maxdata) { 
        bio->flags = BIO_F_OVERFLOW; 
        bio->data_avail = 0; 
        bio->offs_avail = 0; 
        return; 
    } 
 
    bio->data = bio->data0 = (char *) data + n; 
    bio->offs = bio->offs0 = data; 
    bio->data_avail = maxdata - n; 
    bio->offs_avail = maxoffs; 
    bio->flags = 0; 
} 
 
static void *bio_alloc(struct binder_io *bio, size_t size) 
{ 
    size = (size + 3) & (~3); 
    if (size > bio->data_avail) { 
        bio->flags |= BIO_F_OVERFLOW; 
        return NULL; 
    } else { 
        void *ptr = bio->data; 
        bio->data += size; 
        bio->data_avail -= size; 
        return ptr; 
    } 
} 
 
void binder_done(struct binder_state *bs, 
                 struct binder_io *msg, 
                 struct binder_io *reply) 
{ 
    struct { 
        uint32_t cmd; 
        uintptr_t buffer; 
    } __attribute__((packed)) data; 
 
    if (reply->flags & BIO_F_SHARED) { 
        data.cmd = BC_FREE_BUFFER; 
        data.buffer = (uintptr_t) reply->data0; 
        binder_write(bs, &data, sizeof(data)); 
        reply->flags = 0; 
    } 
} 
 
static struct flat_binder_object *bio_alloc_obj(struct binder_io *bio) 
{ 
    struct flat_binder_object *obj; 
 
    obj = bio_alloc(bio, sizeof(*obj)); 
 
    if (obj && bio->offs_avail) { 
        bio->offs_avail--; 
        *bio->offs++ = ((char*) obj) - ((char*) bio->data0); 
        return obj; 
    } 
 
    bio->flags |= BIO_F_OVERFLOW; 
    return NULL; 
} 
 
void bio_put_uint32(struct binder_io *bio, uint32_t n) 
{ 
    uint32_t *ptr = bio_alloc(bio, sizeof(n)); 
    if (ptr) 
        *ptr = n; 
} 
 
void bio_put_obj(struct binder_io *bio, void *ptr) 
{ 
    struct flat_binder_object *obj; 
 
    obj = bio_alloc_obj(bio); 
    if (!obj) 
        return; 
 
    obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; 
    obj->type = BINDER_TYPE_BINDER; 
    obj->binder = (uintptr_t)ptr; 
    obj->cookie = 0; 
} 
 
void bio_put_ref(struct binder_io *bio, uint32_t handle) 
{ 
    struct flat_binder_object *obj; 
 
    if (handle) 
        obj = bio_alloc_obj(bio); 
    else 
        obj = bio_alloc(bio, sizeof(*obj)); 
 
    if (!obj) 
        return; 
 
    obj->flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS; 
    obj->type = BINDER_TYPE_HANDLE; 
    obj->handle = handle; 
    obj->cookie = 0; 
} 
 
void bio_put_string16(struct binder_io *bio, const uint16_t *str) 
{ 
    size_t len; 
    uint16_t *ptr; 
 
    if (!str) { 
        bio_put_uint32(bio, 0xffffffff); 
        return; 
    } 
 
    len = 0; 
    while (str[len]) len++; 
 
    if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) { 
        bio_put_uint32(bio, 0xffffffff); 
        return; 
    } 
 
    /* Note: The payload will carry 32bit size instead of size_t */ 
    bio_put_uint32(bio, (uint32_t) len); 
    len = (len + 1) * sizeof(uint16_t); 
    ptr = bio_alloc(bio, len); 
    if (ptr) 
        memcpy(ptr, str, len); 
} 
 
void bio_put_string16_x(struct binder_io *bio, const char *_str) 
{ 
    unsigned char *str = (unsigned char*) _str; 
    size_t len; 
    uint16_t *ptr; 
 
    if (!str) { 
        bio_put_uint32(bio, 0xffffffff); 
        return; 
    } 
 
    len = strlen(_str); 
 
    if (len >= (MAX_BIO_SIZE / sizeof(uint16_t))) { 
        bio_put_uint32(bio, 0xffffffff); 
        return; 
    } 
 
    /* Note: The payload will carry 32bit size instead of size_t */ 
    bio_put_uint32(bio, len); 
    ptr = bio_alloc(bio, (len + 1) * sizeof(uint16_t)); 
    if (!ptr) 
        return; 
 
    while (*str) 
        *ptr++ = *str++; 
    *ptr++ = 0; 
} 
 
static void *bio_get(struct binder_io *bio, size_t size) 
{ 
    size = (size + 3) & (~3); 
 
    if (bio->data_avail < size){ 
        bio->data_avail = 0; 
        bio->flags |= BIO_F_OVERFLOW; 
        return NULL; 
    }  else { 
        void *ptr = bio->data; 
        bio->data += size; 
        bio->data_avail -= size; 
        return ptr; 
    } 
} 
 
uint32_t bio_get_uint32(struct binder_io *bio) 
{ 
    uint32_t *ptr = bio_get(bio, sizeof(*ptr)); 
    return ptr ? *ptr : 0; 
} 
 
uint16_t *bio_get_string16(struct binder_io *bio, size_t *sz) 
{ 
    size_t len; 
 
    /* Note: The payload will carry 32bit size instead of size_t */ 
    len = (size_t) bio_get_uint32(bio); 
    if (sz) 
        *sz = len; 
    return bio_get(bio, (len + 1) * sizeof(uint16_t)); 
} 
 
static struct flat_binder_object *_bio_get_obj(struct binder_io *bio) 
{ 
    size_t n; 
    size_t off = bio->data - bio->data0; 
 
    /* TODO: be smarter about this? */ 
    for (n = 0; n < bio->offs_avail; n++) { 
        if (bio->offs[n] == off) 
            return bio_get(bio, sizeof(struct flat_binder_object)); 
    } 
 
    bio->data_avail = 0; 
    bio->flags |= BIO_F_OVERFLOW; 
    return NULL; 
} 
 
uint32_t bio_get_ref(struct binder_io *bio) 
{ 
    struct flat_binder_object *obj; 
 
    obj = _bio_get_obj(bio); 
    if (!obj) 
        return 0; 
 
    if (obj->type == BINDER_TYPE_HANDLE) 
        return obj->handle; 
 
    return 0; 
}

test_server.c

/* Copyright 2008 The Android Open Source Project 
 */ 
 
#include <stdio.h> 
#include <stdlib.h> 
#include <errno.h> 
#include <linux/types.h> 
#include<stdbool.h> 
#include <string.h> 
 
#include <private/android_filesystem_config.h> 
 
#include "binder.h" 
#include "test_server.h" 
 
int svcmgr_publish(struct binder_state *bs, uint32_t target, 
    const char *name, void *ptr) 
{ 
    int status; 
    unsigned iodata[512/4]; 
    struct binder_io msg, reply; 
 
    bio_init(&msg, iodata, sizeof(iodata), 4); 
    bio_put_uint32(&msg, 0);  // strict mode header 
    bio_put_string16_x(&msg, SVC_MGR_NAME); 
    bio_put_string16_x(&msg, name); 
    bio_put_obj(&msg, ptr); 
 
    if (binder_call(bs, &msg, &reply, target, SVC_MGR_ADD_SERVICE)) 
        return -1; 
 
    status = bio_get_uint32(&reply); 
 
    binder_done(bs, &msg, &reply); 
 
    return status; 
} 
 
void sayhello(void) 
{ 
    static int cnt = 0; 
    fprintf(stderr, "say hello : %d\n", cnt++); 
} 
 
 
int sayhello_to(char *name) 
{ 
    static int cnt = 0; 
    fprintf(stderr, "say hello to %s : %d\n", name, cnt++); 
    return cnt; 
} 
 
void saygoodbye(void) 
{ 
    static int cnt = 0; 
    fprintf(stderr, "say goodbye : %d\n", cnt++); 
} 
 
 
int saygoodbye_to(char *name) 
{ 
    static int cnt = 0; 
    fprintf(stderr, "say goodbye to %s : %d\n", name, cnt++); 
    return cnt; 
} 
 
 
int hello_service_handler(struct binder_state *bs, 
                   struct binder_transaction_data *txn, 
                   struct binder_io *msg, 
                   struct binder_io *reply) 
{ 
    /* 根据txn->code知道要调用哪一个函数 
     * 如果需要参数, 可以从msg取出 
     * 如果要返回结果, 可以把结果放入reply 
     */ 
 
    /* sayhello 
     * sayhello_to 
     */ 
     
    uint16_t *s; 
    char name[512]; 
    size_t len; 
    uint32_t handle; 
    uint32_t strict_policy; 
    int i; 
 
 
    // Equivalent to Parcel::enforceInterface(), reading the RPC 
    // header with the strict mode policy mask and the interface name. 
    // Note that we ignore the strict_policy and don't propagate it 
    // further (since we do no outbound RPCs anyway). 
    strict_policy = bio_get_uint32(msg); 
 
 
    switch(txn->code) { 
    case HELLO_SVR_CMD_SAYHELLO: 
        sayhello(); 
        return 0; 
 
    case HELLO_SVR_CMD_SAYHELLO_TO: 
        /* 从msg里取出字符串 */ 
        s = bio_get_string16(msg, &len); 
        if (s == NULL) { 
            return -1; 
        } 
        for (i = 0; i < len; i++) 
            name[i] = s[i]; 
        name[i] = '\0'; 
 
        /* 处理 */ 
        i = sayhello_to(name); 
 
        /* 把结果放入reply */ 
        bio_put_uint32(reply, i); 
         
        break; 
 
    default: 
        fprintf(stderr, "unknown code %d\n", txn->code); 
        return -1; 
    } 
 
    return 0; 
} 
 
 
 
int goodbye_service_handler(struct binder_state *bs, 
                   struct binder_transaction_data *txn, 
                   struct binder_io *msg, 
                   struct binder_io *reply) 
{ 
    /* 根据txn->code知道要调用哪一个函数 
     * 如果需要参数, 可以从msg取出 
     * 如果要返回结果, 可以把结果放入reply 
     */ 
 
    /* sayhello 
     * sayhello_to 
     */ 
     
    uint16_t *s; 
    char name[512]; 
    size_t len; 
    uint32_t handle; 
    uint32_t strict_policy; 
    int i; 
 
 
    // Equivalent to Parcel::enforceInterface(), reading the RPC 
    // header with the strict mode policy mask and the interface name. 
    // Note that we ignore the strict_policy and don't propagate it 
    // further (since we do no outbound RPCs anyway). 
    strict_policy = bio_get_uint32(msg); 
 
 
    switch(txn->code) { 
    case GOODBYE_SVR_CMD_SAYGOODBYE: 
        saygoodbye(); 
        return 0; 
 
    case GOODBYE_SVR_CMD_SAYGOODBYE_TO: 
        /* 从msg里取出字符串 */ 
        s = bio_get_string16(msg, &len); 
        if (s == NULL) { 
            return -1; 
        } 
        for (i = 0; i < len; i++) 
            name[i] = s[i]; 
        name[i] = '\0'; 
 
        /* 处理 */ 
        i = saygoodbye_to(name); 
 
        /* 把结果放入reply */ 
        bio_put_uint32(reply, i); 
         
        break; 
 
    default: 
        fprintf(stderr, "unknown code %d\n", txn->code); 
        return -1; 
    } 
 
    return 0; 
} 
 
 
int test_server_handler(struct binder_state *bs, 
                   struct binder_transaction_data *txn, 
                   struct binder_io *msg, 
                   struct binder_io *reply) 
{ 
    int (*handler)(struct binder_state *bs, 
                   struct binder_transaction_data *txn, 
                   struct binder_io *msg, 
                   struct binder_io *reply); 
 
    handler = (int (*)(struct binder_state *bs, 
                   struct binder_transaction_data *txn, 
                   struct binder_io *msg, 
                   struct binder_io *reply))txn->target.ptr; 
     
    return handler(bs, txn, msg, reply); 
} 
 
int main(int argc, char **argv) 
{ 
    int fd; 
    struct binder_state *bs; 
    uint32_t svcmgr = BINDER_SERVICE_MANAGER; 
    uint32_t handle; 
    int ret; 
 
    bs = binder_open(128*1024); 
    if (!bs) { 
        fprintf(stderr, "failed to open binder driver\n"); 
        return -1; 
    } 
 
    /* add service */ 
    ret = svcmgr_publish(bs, svcmgr, "hello", hello_service_handler); 
    if (ret) { 
        fprintf(stderr, "failed to publish hello service\n"); 
        return -1; 
    } 
    ret = svcmgr_publish(bs, svcmgr, "goodbye", goodbye_service_handler); 
    if (ret) { 
        fprintf(stderr, "failed to publish goodbye service\n"); 
    } 
 
#if 0 
    while (1) 
    { 
        /* read data */ 
        /* parse data, and process */ 
        /* reply */ 
    } 
#endif 
 
    binder_set_maxthreads(bs, 10); 
 
    binder_loop(bs, test_server_handler); 
 
    return 0; 
}

test_client.c

/* Copyright 2008 The Android Open Source Project 
 */ 
 
#include <stdio.h> 
#include <stdlib.h> 
#include <errno.h> 
#include <linux/types.h> 
#include<stdbool.h> 
#include <string.h> 
 
#include <private/android_filesystem_config.h> 
 
#include "binder.h" 
#include "test_server.h" 
 
 
 
uint32_t svcmgr_lookup(struct binder_state *bs, uint32_t target, const char *name) 
{ 
    uint32_t handle; 
    unsigned iodata[512/4]; 
    struct binder_io msg, reply; 
 
    bio_init(&msg, iodata, sizeof(iodata), 4); 
    bio_put_uint32(&msg, 0);  // strict mode header 
    bio_put_string16_x(&msg, SVC_MGR_NAME); 
    bio_put_string16_x(&msg, name); 
 
    if (binder_call(bs, &msg, &reply, target, SVC_MGR_CHECK_SERVICE)) 
        return 0; 
 
    handle = bio_get_ref(&reply); 
 
    if (handle) 
        binder_acquire(bs, handle); 
 
    binder_done(bs, &msg, &reply); 
 
    return handle; 
} 
 
 
struct binder_state *g_bs; 
uint32_t g_hello_handle; 
uint32_t g_goodbye_handle; 
 
void sayhello(void) 
{ 
    unsigned iodata[512/4]; 
    struct binder_io msg, reply; 
 
    /* 构造binder_io */ 
    bio_init(&msg, iodata, sizeof(iodata), 4); 
    /*这是写入的一个垃圾数据,没有使用*/ 
    bio_put_uint32(&msg, 0);  // strict mode header 
 
    /* 放入参数 */ 
 
    /* 调用binder_call */ 
    if (binder_call(g_bs, &msg, &reply, g_hello_handle, HELLO_SVR_CMD_SAYHELLO)) 
        return ; 
     
    /* 从reply中解析出返回值 */ 
 
    binder_done(g_bs, &msg, &reply); 
     
} 
 
int sayhello_to(char *name) 
{ 
    unsigned iodata[512/4]; 
    struct binder_io msg, reply; 
    int ret; 
 
    /* 构造binder_io */ 
    bio_init(&msg, iodata, sizeof(iodata), 4); 
    bio_put_uint32(&msg, 0);  // strict mode header 
 
    /* 放入参数 */ 
    bio_put_string16_x(&msg, name); 
 
    /* 调用binder_call */ 
    if (binder_call(g_bs, &msg, &reply, g_hello_handle, HELLO_SVR_CMD_SAYHELLO_TO)) 
        return 0; 
     
    /* 从reply中解析出返回值 */ 
    ret = bio_get_uint32(&reply); 
 
    binder_done(g_bs, &msg, &reply); 
 
    return ret; 
     
} 
 
 
void saygoodbye(void) 
{ 
    unsigned iodata[512/4]; 
    struct binder_io msg, reply; 
 
    /* 构造binder_io */ 
    bio_init(&msg, iodata, sizeof(iodata), 4); 
    bio_put_uint32(&msg, 0);  // strict mode header 
 
    /* 放入参数 */ 
 
    /* 调用binder_call */ 
    if (binder_call(g_bs, &msg, &reply, g_goodbye_handle, GOODBYE_SVR_CMD_SAYGOODBYE)) 
        return ; 
     
    /* 从reply中解析出返回值 */ 
 
    binder_done(g_bs, &msg, &reply); 
     
} 
 
int saygoodbye_to(char *name) 
{ 
    unsigned iodata[512/4]; 
    struct binder_io msg, reply; 
    int ret; 
 
    /* 构造binder_io */ 
    bio_init(&msg, iodata, sizeof(iodata), 4); 
    bio_put_uint32(&msg, 0);  // strict mode header 
 
    /* 放入参数 */ 
    bio_put_string16_x(&msg, name); 
 
    /* 调用binder_call */ 
    if (binder_call(g_bs, &msg, &reply, g_goodbye_handle, GOODBYE_SVR_CMD_SAYGOODBYE_TO)) 
        return 0; 
     
    /* 从reply中解析出返回值 */ 
    ret = bio_get_uint32(&reply); 
 
    binder_done(g_bs, &msg, &reply); 
 
    return ret; 
     
} 
 
 
 
 
 
/* ./test_client hello 
 * ./test_client hello <name> 
 */ 
 
int main(int argc, char **argv) 
{ 
    int fd; 
    struct binder_state *bs; 
    uint32_t svcmgr = BINDER_SERVICE_MANAGER; 
    uint32_t handle; 
    int ret; 
 
    if (argc < 2){ 
        fprintf(stderr, "Usage:\n"); 
        fprintf(stderr, "%s <hello|goodbye>\n", argv[0]); 
        fprintf(stderr, "%s <hello|goodbye> <name>\n", argv[0]); 
        return -1; 
    } 
 
    bs = binder_open(128*1024); 
    if (!bs) { 
        fprintf(stderr, "failed to open binder driver\n"); 
        return -1; 
    } 
    g_bs = bs; 
 
 
    /* get service */ 
    handle = svcmgr_lookup(bs, svcmgr, "goodbye"); 
    if (!handle) { 
        fprintf(stderr, "failed to get goodbye service\n"); 
        return -1; 
    } 
    g_goodbye_handle = handle; 
    fprintf(stderr, "Handle for goodbye service = %d\n", g_goodbye_handle); 
 
    handle = svcmgr_lookup(bs, svcmgr, "hello"); 
    if (!handle) { 
        fprintf(stderr, "failed to get hello service\n"); 
        return -1; 
    } 
    g_hello_handle = handle; 
    fprintf(stderr, "Handle for hello service = %d\n", g_hello_handle); 
 
    /* send data to server */ 
    if (!strcmp(argv[1], "hello")) 
    { 
        if (argc == 2) { 
            sayhello(); 
        } else if (argc == 3) { 
            ret = sayhello_to(argv[2]); 
            fprintf(stderr, "get ret of sayhello_to = %d\n", ret);         
        } 
    } else if (!strcmp(argv[1], "goodbye")) 
    { 
        if (argc == 2) { 
            saygoodbye(); 
        } else if (argc == 3) { 
            ret = saygoodbye_to(argv[2]); 
            fprintf(stderr, "get ret of sayhello_to = %d\n", ret);         
        } 
    } 
 
    binder_release(bs, handle); 
 
    return 0; 
}

代码:http://github.com/weidongshan/APP_0003_Binder_C_App.git

修改的加打印的驱动:http://github.com/weidongshan/DRV_0003_Binder.git

优秀博文:
Android Binder的设计与实现: http://blog.csdn.net/universus/article/details/6211589
binder双向传输栈分析:http://www.cnblogs.com/samchen2009/p/3316001.html


本文参考链接:https://www.cnblogs.com/hellokitty2/p/10847076.html