Android进程间通信IPC机制Binder

Android进程间通信（IPC）机制Binder简要介绍和学习计划

在Android系统中，每一个应用程序都是由一些Activity和Service组成的，一般Service运行在独立的进程中，而Activity有可能运行在同一个进程中，也有可能运行在不同的进程中。那么，不在同一个进程的Activity或者Service是如何通信的呢？这就是本文中要介绍的Binder进程间通信机制了。

我们知道，Android系统是基于Linux内核的，而Linux内核继承和兼容了丰富的Unix系统进程间通信（IPC）机制。有传统的管道（Pipe）、信号（Signal）和跟踪（Trace），这三项通信手段只能用于父进程与子进程之间，或者兄弟进程之间；后来又增加了命令管道（Named Pipe），使得进程间通信不再局限于父子进程或者兄弟进程之间；为了更好地支持商业应用中的事务处理，在AT&T的Unix系统V中，又增加了三种称为“System V IPC”的进程间通信机制，分别是报文队列（Message）、共享内存（Share Memory）和信号量（Semaphore）；后来BSD Unix对“System V IPC”机制进行了重要的扩充，提供了一种称为插口（Socket）的进程间通信机制。若想进一步详细了解这些进程间通信机制，建议参考Android学习启动篇一文中提到《Linux内核源代码情景分析》一书。

但是，Android系统没有采用上述提到的各种进程间通信机制，而是采用Binder机制，难道是因为考虑到了移动设备硬件性能较差、内存较低的特点？不得而知。Binder其实也不是Android提出来的一套新的进程间通信机制，它是基于OpenBinder来实现的。OpenBinder最先是由Be Inc.开发的，接着Palm Inc.也跟着使用。现在OpenBinder的作者Dianne Hackborn就是在Google工作，负责Android平台的开发工作。

前面一再提到，Binder是一种进程间通信机制，它是一种类似于COM和CORBA分布式组件架构，通俗一点，其实是提供远程过程调用（RPC）功能。从英文字面上意思看，Binder具有粘结剂的意思，那么它把什么东西粘结在一起呢？在Android系统的Binder机制中，由一系统组件组成，分别是Client、Server、Service Manager和Binder驱动程序，其中Client、Server和Service Manager运行在用户空间，Binder驱动程序运行内核空间。Binder就是一种把这四个组件粘合在一起的粘结剂了，其中，核心组件便是Binder驱动程序了，Service Manager提供了辅助管理的功能，Client和Server正是在Binder驱动和Service Manager提供的基础设施上，进行Client-Server之间的通信。Service Manager和Binder驱动已经在Android平台中实现好，开发者只要按照规范实现自己的Client和Server组件就可以了。说起来简单，做起难，对初学者来说，Android系统的Binder机制是最难理解的了，而Binder机制无论从系统开发还是应用开发的角度来看，都是Android系统中最重要的组成，因此，很有必要深入了解Binder的工作方式。要深入了解Binder的工作方式，最好的方式莫过于是阅读Binder相关的源代码了，Linux的鼻祖Linus Torvalds曾经曰过一句名言RTFSC：Read The Fucking Source Code。

虽说阅读Binder的源代码是学习Binder机制的最好的方式，但是也绝不能打无准备之仗，因为Binder的相关源代码是比较枯燥无味而且比较难以理解的，如果能够辅予一些理论知识，那就更好了。闲话少说，网上关于Binder机制的资料还是不少的，这里就不想再详细写一遍了，强烈推荐下面两篇文章：

Android深入浅出之Binder机制

Android Binder设计与实现 – 设计篇

Android深入浅出之Binder机制一文从情景出发，深入地介绍了Binder在用户空间的三个组件Client、Server和Service Manager的相互关系，Android Binder设计与实现一文则是详细地介绍了内核空间的Binder驱动程序的数据结构和设计原理。非常感谢这两位作者给我们带来这么好的Binder学习资料。总结一下，Android系统Binder机制中的四个组件Client、Server、Service Manager和Binder驱动程序的关系如下图所示：

1. Client、Server和Service Manager实现在用户空间中，Binder驱动程序实现在内核空间中

2. Binder驱动程序和Service Manager在Android平台中已经实现，开发者只需要在用户空间实现自己的Client和Server

3. Binder驱动程序提供设备文件/dev/binder与用户空间交互，Client、Server和Service Manager通过open和ioctl文件操作函数与Binder驱动程序进行通信

4. Client和Server之间的进程间通信通过Binder驱动程序间接实现

5. Service Manager是一个守护进程，用来管理Server，并向Client提供查询Server接口的能力

至此，对Binder机制总算是有了一个感性的认识，但仍然感到不能很好地从上到下贯穿整个IPC通信过程，于是，打算通过下面四个情景来分析Binder源代码，以进一步理解Binder机制：

1. Service Manager是如何成为一个守护进程的？即Service Manager是如何告知Binder驱动程序它是Binder机制的上下文管理者。

2. Server和Client是如何获得Service Manager接口的？即defaultServiceManager接口是如何实现的。

3. Server是如何把自己的服务启动起来的？Service Manager在Server启动的过程中是如何为Server提供服务的？即IServiceManager::addService接口是如何实现的。

4 Service Manager是如何为Client提供服务的？即IServiceManager::getService接口是如何实现的。

在接下来的四篇文章中，将按照这四个情景来分析Binder源代码，都将会涉及到用户空间到内核空间的Binder相关源代码。这里为什么没有Client和Server是如何进行进程间通信的情景呢？这是因为Service Manager在作为守护进程的同时，它也充当Server角色。因此，只要我们能够理解第三和第四个情景，也就理解了Binder机制中Client和Server是如何通过Binder驱动程序进行进程间通信的了。

为了方便描述Android系统进程间通信Binder机制的原理和实现，在接下来的四篇文章中，我们都是基于C/C++语言来介绍Binder机制的实现的，但是，我们在Android系统开发应用程序时，都是基于Java语言的，因此，我们会在最后一篇文章中，详细介绍Android系统进程间通信Binder机制在应用程序框架层的Java接口实现：

5.Android系统进程间通信Binder机制在应用程序框架层的Java接口源代码分析。

浅谈Service Manager成为Android进程间通信（IPC）机制Binder守护进程之路

分类： Android 2011-07-22 02:32 18539人阅读评论(45) 收藏举报

上一篇文章Android进程间通信（IPC）机制Binder简要介绍和学习计划简要介绍了Android系统进程间通信机制Binder的总体架构，它由Client、Server、Service Manager和驱动程序Binder四个组件构成。本文着重介绍组件Service Manager，它是整个Binder机制的守护进程，用来管理开发者创建的各种Server，并且向Client提供查询Server远程接口的功能。

既然Service Manager组件是用来管理Server并且向Client提供查询Server远程接口的功能，那么，Service Manager就必然要和Server以及Client进行通信了。我们知道，Service Manger、Client和Server三者分别是运行在独立的进程当中，这样它们之间的通信也属于进程间通信了，而且也是采用Binder机制进行进程间通信，因此，Service Manager在充当Binder机制的守护进程的角色的同时，也在充当Server的角色，然而，它是一种特殊的Server，下面我们将会看到它的特殊之处。

与Service Manager相关的源代码较多，这里不会完整去分析每一行代码，主要是带着Service Manager是如何成为整个Binder机制中的守护进程这条主线来一步一步地深入分析相关源代码，包括从用户空间到内核空间的相关源代码。希望读者在阅读下面的内容之前，先阅读一下前一篇文章提到的两个参考资料Android深入浅出之Binder机制和Android Binder设计与实现，熟悉相关概念和数据结构，这有助于理解下面要分析的源代码。

Service Manager在用户空间的源代码位于frameworks/base/cmds/servicemanager目录下，主要是由binder.h、binder.c和service_manager.c三个文件组成。Service Manager的入口位于service_manager.c文件中的main函数：

[cpp] view plain copy print ?

intmain(intargc,char**argv)
{
structbinder_state*bs;
void*svcmgr=BINDER_SERVICE_MANAGER;
bs=binder_open(128*1024);
if(binder_become_context_manager(bs)){
LOGE("cannotbecomecontextmanager(%s)\n",strerror(errno));
return-1;
}
svcmgr_handle=svcmgr;
binder_loop(bs,svcmgr_handler);
return0;
}

int main(int argc, char **argv){    struct binder_state *bs;    void *svcmgr = BINDER_SERVICE_MANAGER;    bs = binder_open(128*1024);    if (binder_become_context_manager(bs)) {        LOGE("cannot become context manager (%s)\n", strerror(errno));        return -1;    }    svcmgr_handle = svcmgr;    binder_loop(bs, svcmgr_handler);    return 0;}

main函数主要有三个功能：一是打开Binder设备文件；二是告诉Binder驱动程序自己是Binder上下文管理者，即我们前面所说的守护进程；三是进入一个无穷循环，充当Server的角色，等待Client的请求。进入这三个功能之间，先来看一下这里用到的结构体binder_state、宏BINDER_SERVICE_MANAGER的定义：

structbinder_state定义在frameworks/base/cmds/servicemanager/binder.c文件中：

[cpp] view plain copy print ?

structbinder_state
{
intfd;
void*mapped;
unsignedmapsize;
};

struct binder_state{    int fd;    void *mapped;    unsigned mapsize;};

fd是文件描述符，即表示打开的/dev/binder设备文件描述符；mapped是把设备文件/dev/binder映射到进程空间的起始地址；mapsize是上述内存映射空间的大小。

宏BINDER_SERVICE_MANAGER定义frameworks/base/cmds/servicemanager/binder.h文件中：

[cpp] view plain copy print ?

/*theonemagicobject*/
#defineBINDER_SERVICE_MANAGER((void*)0)

/* the one magic object */#define BINDER_SERVICE_MANAGER ((void*) 0)

它表示Service Manager的句柄为0。Binder通信机制使用句柄来代表远程接口，这个句柄的意义和Windows编程中用到的句柄是差不多的概念。前面说到，Service Manager在充当守护进程的同时，它充当Server的角色，当它作为远程接口使用时，它的句柄值便为0，这就是它的特殊之处，其余的Server的远程接口句柄值都是一个大于0 而且由Binder驱动程序自动进行分配的。

函数首先是执行打开Binder设备文件的操作binder_open，这个函数位于frameworks/base/cmds/servicemanager/binder.c文件中：

[cpp] view plain copy print ?

structbinder_state*binder_open(unsignedmapsize)
{
structbinder_state*bs;
bs=malloc(sizeof(*bs));
if(!bs){
errno=ENOMEM;
return0;
}
bs->fd=open("/dev/binder",O_RDWR);
if(bs->fd<0){
fprintf(stderr,"binder:cannotopendevice(%s)\n",
strerror(errno));
gotofail_open;
}
bs->mapsize=mapsize;
bs->mapped=mmap(NULL,mapsize,PROT_READ,MAP_PRIVATE,bs->fd,0);
if(bs->mapped==MAP_FAILED){
fprintf(stderr,"binder:cannotmapdevice(%s)\n",
strerror(errno));
gotofail_map;
}
/*TODO:checkversion*/
returnbs;
fail_map:
close(bs->fd);
fail_open:
free(bs);
return0;
}

struct binder_state *binder_open(unsigned mapsize){    struct binder_state *bs;    bs = malloc(sizeof(*bs));    if (!bs) {        errno = ENOMEM;        return 0;    }    bs->fd = open("/dev/binder", O_RDWR);    if (bs->fd < 0) {        fprintf(stderr,"binder: cannot open device (%s)\n",                strerror(errno));        goto fail_open;    }    bs->mapsize = mapsize;    bs->mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0);    if (bs->mapped == MAP_FAILED) {        fprintf(stderr,"binder: cannot map device (%s)\n",                strerror(errno));        goto fail_map;    }        /* TODO: check version */    return bs;fail_map:    close(bs->fd);fail_open:    free(bs);    return 0;}

通过文件操作函数open来打开/dev/binder设备文件。设备文件/dev/binder是在Binder驱动程序模块初始化的时候创建的，我们先看一下这个设备文件的创建过程。进入到kernel/common/drivers/staging/android目录中，打开binder.c文件，可以看到模块初始化入口binder_init：

[cpp] view plain copy print ?

staticstructfile_operationsbinder_fops={
.owner=THIS_MODULE,
.poll=binder_poll,
.unlocked_ioctl=binder_ioctl,
.mmap=binder_mmap,
.open=binder_open,
.flush=binder_flush,
.release=binder_release,
};
staticstructmiscdevicebinder_miscdev={
.minor=MISC_DYNAMIC_MINOR,
.name="binder",
.fops=&binder_fops
};
staticint__initbinder_init(void)
{
intret;
binder_proc_dir_entry_root=proc_mkdir("binder",NULL);
if(binder_proc_dir_entry_root)
binder_proc_dir_entry_proc=proc_mkdir("proc",binder_proc_dir_entry_root);
ret=misc_register(&binder_miscdev);
if(binder_proc_dir_entry_root){
create_proc_read_entry("state",S_IRUGO,binder_proc_dir_entry_root,binder_read_proc_state,NULL);
create_proc_read_entry("stats",S_IRUGO,binder_proc_dir_entry_root,binder_read_proc_stats,NULL);
create_proc_read_entry("transactions",S_IRUGO,binder_proc_dir_entry_root,binder_read_proc_transactions,NULL);
create_proc_read_entry("transaction_log",S_IRUGO,binder_proc_dir_entry_root,binder_read_proc_transaction_log,&binder_transaction_log);
create_proc_read_entry("failed_transaction_log",S_IRUGO,binder_proc_dir_entry_root,binder_read_proc_transaction_log,&binder_transaction_log_failed);
}
returnret;
}
device_initcall(binder_init);

static struct file_operations binder_fops = {.owner = THIS_MODULE,.poll = binder_poll,.unlocked_ioctl = binder_ioctl,.mmap = binder_mmap,.open = binder_open,.flush = binder_flush,.release = binder_release,};static struct miscdevice binder_miscdev = {.minor = MISC_DYNAMIC_MINOR,.name = "binder",.fops = &binder_fops};static int __init binder_init(void){int ret;binder_proc_dir_entry_root = proc_mkdir("binder", NULL);if (binder_proc_dir_entry_root)binder_proc_dir_entry_proc = proc_mkdir("proc", binder_proc_dir_entry_root);ret = misc_register(&binder_miscdev);if (binder_proc_dir_entry_root) {create_proc_read_entry("state", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_state, NULL);create_proc_read_entry("stats", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_stats, NULL);create_proc_read_entry("transactions", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_transactions, NULL);create_proc_read_entry("transaction_log", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_transaction_log, &binder_transaction_log);create_proc_read_entry("failed_transaction_log", S_IRUGO, binder_proc_dir_entry_root, binder_read_proc_transaction_log, &binder_transaction_log_failed);}return ret;}device_initcall(binder_init);

创建设备文件的地方在misc_register函数里面，关于misc设备的注册，我们在Android日志系统驱动程序Logger源代码分析一文中有提到，有兴趣的读取不访去了解一下。其余的逻辑主要是在/proc目录创建各种Binder相关的文件，供用户访问。从设备文件的操作方法binder_fops可以看出，前面的binder_open函数执行语句：

[cpp] view plain copy print ?

bs->fd=open("/dev/binder",O_RDWR);

bs->fd = open("/dev/binder", O_RDWR);

就进入到Binder驱动程序的binder_open函数了：

[cpp] view plain copy print ?

staticintbinder_open(structinode*nodp,structfile*filp)
{
structbinder_proc*proc;
if(binder_debug_mask&BINDER_DEBUG_OPEN_CLOSE)
printk(KERN_INFO"binder_open:%d:%d\n",current->group_leader->pid,current->pid);
proc=kzalloc(sizeof(*proc),GFP_KERNEL);
if(proc==NULL)
return-ENOMEM;
get_task_struct(current);
proc->tsk=current;
INIT_LIST_HEAD(&proc->todo);
init_waitqueue_head(&proc->wait);
proc->default_priority=task_nice(current);
mutex_lock(&binder_lock);
binder_stats.obj_created[BINDER_STAT_PROC]++;
hlist_add_head(&proc->proc_node,&binder_procs);
proc->pid=current->group_leader->pid;
INIT_LIST_HEAD(&proc->delivered_death);
filp->private_data=proc;
mutex_unlock(&binder_lock);
if(binder_proc_dir_entry_proc){
charstrbuf[11];
snprintf(strbuf,sizeof(strbuf),"%u",proc->pid);
remove_proc_entry(strbuf,binder_proc_dir_entry_proc);
create_proc_read_entry(strbuf,S_IRUGO,binder_proc_dir_entry_proc,binder_read_proc_proc,proc);
}
return0;
}

static int binder_open(struct inode *nodp, struct file *filp){struct binder_proc *proc;if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE)printk(KERN_INFO "binder_open: %d:%d\n", current->group_leader->pid, current->pid);proc = kzalloc(sizeof(*proc), GFP_KERNEL);if (proc == NULL)return -ENOMEM;get_task_struct(current);proc->tsk = current;INIT_LIST_HEAD(&proc->todo);init_waitqueue_head(&proc->wait);proc->default_priority = task_nice(current);mutex_lock(&binder_lock);binder_stats.obj_created[BINDER_STAT_PROC]++;hlist_add_head(&proc->proc_node, &binder_procs);proc->pid = current->group_leader->pid;INIT_LIST_HEAD(&proc->delivered_death);filp->private_data = proc;mutex_unlock(&binder_lock);if (binder_proc_dir_entry_proc) {char strbuf[11];snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);remove_proc_entry(strbuf, binder_proc_dir_entry_proc);create_proc_read_entry(strbuf, S_IRUGO, binder_proc_dir_entry_proc, binder_read_proc_proc, proc);}return 0;}

这个函数的主要作用是创建一个struct binder_proc数据结构来保存打开设备文件/dev/binder的进程的上下文信息，并且将这个进程上下文信息保存在打开文件结构struct file的私有数据成员变量private_data中，这样，在执行其它文件操作时，就通过打开文件结构struct file来取回这个进程上下文信息了。这个进程上下文信息同时还会保存在一个全局哈希表binder_procs中，驱动程序内部使用。binder_procs定义在文件的开头：

[cpp] view plain copy print ?

staticHLIST_HEAD(binder_procs);

static HLIST_HEAD(binder_procs);

结构体struct binder_proc也是定义在kernel/common/drivers/staging/android/binder.c文件中：

[cpp] view plain copy print ?

structbinder_proc{
structhlist_nodeproc_node;
structrb_rootthreads;
structrb_rootnodes;
structrb_rootrefs_by_desc;
structrb_rootrefs_by_node;
intpid;
structvm_area_struct*vma;
structtask_struct*tsk;
structfiles_struct*files;
structhlist_nodedeferred_work_node;
intdeferred_work;
void*buffer;
ptrdiff_tuser_buffer_offset;
structlist_headbuffers;
structrb_rootfree_buffers;
structrb_rootallocated_buffers;
size_tfree_async_space;
structpage**pages;
size_tbuffer_size;
uint32_tbuffer_free;
structlist_headtodo;
wait_queue_head_twait;
structbinder_statsstats;
structlist_headdelivered_death;
intmax_threads;
intrequested_threads;
intrequested_threads_started;
intready_threads;
longdefault_priority;
};

struct binder_proc {struct hlist_node proc_node;struct rb_root threads;struct rb_root nodes;struct rb_root refs_by_desc;struct rb_root refs_by_node;int pid;struct vm_area_struct *vma;struct task_struct *tsk;struct files_struct *files;struct hlist_node deferred_work_node;int deferred_work;void *buffer;ptrdiff_t user_buffer_offset;struct list_head buffers;struct rb_root free_buffers;struct rb_root allocated_buffers;size_t free_async_space;struct page **pages;size_t buffer_size;uint32_t buffer_free;struct list_head todo;wait_queue_head_t wait;struct binder_stats stats;struct list_head delivered_death;int max_threads;int requested_threads;int requested_threads_started;int ready_threads;long default_priority;};

这个结构体的成员比较多，这里就不一一说明了，简单解释一下四个成员变量threads、nodes、 refs_by_desc和refs_by_node，其它的我们在遇到的时候再详细解释。这四个成员变量都是表示红黑树的节点，也就是说，binder_proc分别挂会四个红黑树下。threads树用来保存binder_proc进程内用于处理用户请求的线程，它的最大数量由max_threads来决定；node树成用来保存binder_proc进程内的Binder实体；refs_by_desc树和refs_by_node树用来保存binder_proc进程内的Binder引用，即引用的其它进程的Binder实体，它分别用两种方式来组织红黑树，一种是以句柄作来key值来组织，一种是以引用的实体节点的地址值作来key值来组织，它们都是表示同一样东西，只不过是为了内部查找方便而用两个红黑树来表示。

这样，打开设备文件/dev/binder的操作就完成了，接着是对打开的设备文件进行内存映射操作mmap：

[cpp] view plain copy print ?

bs->mapped=mmap(NULL,mapsize,PROT_READ,MAP_PRIVATE,bs->fd,0);

bs->mapped = mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0);

对应Binder驱动程序的binder_mmap函数：

[cpp] view plain copy print ?

staticintbinder_mmap(structfile*filp,structvm_area_struct*vma)
{
intret;
structvm_struct*area;
structbinder_proc*proc=filp->private_data;
constchar*failure_string;
structbinder_buffer*buffer;
if((vma->vm_end-vma->vm_start)>SZ_4M)
vma->vm_end=vma->vm_start+SZ_4M;
if(binder_debug_mask&BINDER_DEBUG_OPEN_CLOSE)
printk(KERN_INFO
"binder_mmap:%d%lx-%lx(%ldK)vma%lxpagep%lx\n",
proc->pid,vma->vm_start,vma->vm_end,
(vma->vm_end-vma->vm_start)/SZ_1K,vma->vm_flags,
(unsignedlong)pgprot_val(vma->vm_page_prot));
if(vma->vm_flags&FORBIDDEN_MMAP_FLAGS){
ret=-EPERM;
failure_string="badvm_flags";
gotoerr_bad_arg;
}
vma->vm_flags=(vma->vm_flags|VM_DONTCOPY)&~VM_MAYWRITE;
if(proc->buffer){
ret=-EBUSY;
failure_string="alreadymapped";
gotoerr_already_mapped;
}
area=get_vm_area(vma->vm_end-vma->vm_start,VM_IOREMAP);
if(area==NULL){
ret=-ENOMEM;
failure_string="get_vm_area";
gotoerr_get_vm_area_failed;
}
proc->buffer=area->addr;
proc->user_buffer_offset=vma->vm_start-(uintptr_t)proc->buffer;
#ifdefCONFIG_CPU_CACHE_VIPT
if(cache_is_vipt_aliasing()){
while(CACHE_COLOUR((vma->vm_start^(uint32_t)proc->buffer))){
printk(KERN_INFO"binder_mmap:%d%lx-%lxmaps%pbadalignment\n",proc->pid,vma->vm_start,vma->vm_end,proc->buffer);
vma->vm_start+=PAGE_SIZE;
}
}
#endif
proc->pages=kzalloc(sizeof(proc->pages[0])*((vma->vm_end-vma->vm_start)/PAGE_SIZE),GFP_KERNEL);
if(proc->pages==NULL){
ret=-ENOMEM;
failure_string="allocpagearray";
gotoerr_alloc_pages_failed;
}
proc->buffer_size=vma->vm_end-vma->vm_start;
vma->vm_ops=&binder_vm_ops;
vma->vm_private_data=proc;
if(binder_update_page_range(proc,1,proc->buffer,proc->buffer+PAGE_SIZE,vma)){
ret=-ENOMEM;
failure_string="allocsmallbuf";
gotoerr_alloc_small_buf_failed;
}
buffer=proc->buffer;
INIT_LIST_HEAD(&proc->buffers);
list_add(&buffer->entry,&proc->buffers);
buffer->free=1;
binder_insert_free_buffer(proc,buffer);
proc->free_async_space=proc->buffer_size/2;
barrier();
proc->files=get_files_struct(current);
proc->vma=vma;
/*printk(KERN_INFO"binder_mmap:%d%lx-%lxmaps%p\n",proc->pid,vma->vm_start,vma->vm_end,proc->buffer);*/
return0;
err_alloc_small_buf_failed:
kfree(proc->pages);
proc->pages=NULL;
err_alloc_pages_failed:
vfree(proc->buffer);
proc->buffer=NULL;
err_get_vm_area_failed:
err_already_mapped:
err_bad_arg:
printk(KERN_ERR"binder_mmap:%d%lx-%lx%sfailed%d\n",proc->pid,vma->vm_start,vma->vm_end,failure_string,ret);
returnret;
}

static int binder_mmap(struct file *filp, struct vm_area_struct *vma){int ret;struct vm_struct *area;struct binder_proc *proc = filp->private_data;const char *failure_string;struct binder_buffer *buffer;if ((vma->vm_end - vma->vm_start) > SZ_4M)vma->vm_end = vma->vm_start + SZ_4M;if (binder_debug_mask & BINDER_DEBUG_OPEN_CLOSE)printk(KERN_INFO"binder_mmap: %d %lx-%lx (%ld K) vma %lx pagep %lx\n",proc->pid, vma->vm_start, vma->vm_end,(vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,(unsigned long)pgprot_val(vma->vm_page_prot));if (vma->vm_flags & FORBIDDEN_MMAP_FLAGS) {ret = -EPERM;failure_string = "bad vm_flags";goto err_bad_arg;}vma->vm_flags = (vma->vm_flags | VM_DONTCOPY) & ~VM_MAYWRITE;if (proc->buffer) {ret = -EBUSY;failure_string = "already mapped";goto err_already_mapped;}area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP);if (area == NULL) {ret = -ENOMEM;failure_string = "get_vm_area";goto err_get_vm_area_failed;}proc->buffer = area->addr;proc->user_buffer_offset = vma->vm_start - (uintptr_t)proc->buffer;#ifdef CONFIG_CPU_CACHE_VIPTif (cache_is_vipt_aliasing()) {while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) {printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);vma->vm_start += PAGE_SIZE;}}#endifproc->pages = kzalloc(sizeof(proc->pages[0]) * ((vma->vm_end - vma->vm_start) / PAGE_SIZE), GFP_KERNEL);if (proc->pages == NULL) {ret = -ENOMEM;failure_string = "alloc page array";goto err_alloc_pages_failed;}proc->buffer_size = vma->vm_end - vma->vm_start;vma->vm_ops = &binder_vm_ops;vma->vm_private_data = proc;if (binder_update_page_range(proc, 1, proc->buffer, proc->buffer + PAGE_SIZE, vma)) {ret = -ENOMEM;failure_string = "alloc small buf";goto err_alloc_small_buf_failed;}buffer = proc->buffer;INIT_LIST_HEAD(&proc->buffers);list_add(&buffer->entry, &proc->buffers);buffer->free = 1;binder_insert_free_buffer(proc, buffer);proc->free_async_space = proc->buffer_size / 2;barrier();proc->files = get_files_struct(current);proc->vma = vma;/*printk(KERN_INFO "binder_mmap: %d %lx-%lx maps %p\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);*/return 0;err_alloc_small_buf_failed:kfree(proc->pages);proc->pages = NULL;err_alloc_pages_failed:vfree(proc->buffer);proc->buffer = NULL;err_get_vm_area_failed:err_already_mapped:err_bad_arg:printk(KERN_ERR "binder_mmap: %d %lx-%lx %s failed %d\n", proc->pid, vma->vm_start, vma->vm_end, failure_string, ret);return ret;}

函数首先通过filp->private_data得到在打开设备文件/dev/binder时创建的struct binder_proc结构。内存映射信息放在vma参数中，注意，这里的vma的数据类型是struct vm_area_struct，它表示的是一块连续的虚拟地址空间区域，在函数变量声明的地方，我们还看到有一个类似的结构体struct vm_struct，这个数据结构也是表示一块连续的虚拟地址空间区域，那么，这两者的区别是什么呢？在Linux中，struct vm_area_struct表示的虚拟地址是给进程使用的，而struct vm_struct表示的虚拟地址是给内核使用的，它们对应的物理页面都可以是不连续的。struct vm_area_struct表示的地址空间范围是0~3G，而struct vm_struct表示的地址空间范围是(3G + 896M + 8M) ~ 4G。struct vm_struct表示的地址空间范围为什么不是3G~4G呢？原来，3G ~ (3G + 896M)范围的地址是用来映射连续的物理页面的，这个范围的虚拟地址和对应的实际物理地址有着简单的对应关系，即对应0~896M的物理地址空间，而(3G + 896M) ~ (3G + 896M + 8M)是安全保护区域（例如，所有指向这8M地址空间的指针都是非法的），因此struct vm_struct使用(3G + 896M + 8M) ~ 4G地址空间来映射非连续的物理页面。有关Linux的内存管理知识，可以参考Android学习启动篇一文提到的《Understanding the Linux Kernel》一书中的第8章。

这里为什么会同时使用进程虚拟地址空间和内核虚拟地址空间来映射同一个物理页面呢？这就是Binder进程间通信机制的精髓所在了，同一个物理页面，一方映射到进程虚拟地址空间，一方面映射到内核虚拟地址空间，这样，进程和内核之间就可以减少一次内存拷贝了，提到了进程间通信效率。举个例子如，Client要将一块内存数据传递给Server，一般的做法是，Client将这块数据从它的进程空间拷贝到内核空间中，然后内核再将这个数据从内核空间拷贝到Server的进程空间，这样，Server就可以访问这个数据了。但是在这种方法中，执行了两次内存拷贝操作，而采用我们上面提到的方法，只需要把Client进程空间的数据拷贝一次到内核空间，然后Server与内核共享这个数据就可以了，整个过程只需要执行一次内存拷贝，提高了效率。

binder_mmap的原理讲完了，这个函数的逻辑就好理解了。不过，这里还是先要解释一下struct binder_proc结构体的几个成员变量。buffer成员变量是一个void*指针，它表示要映射的物理内存在内核空间中的起始位置；buffer_size成员变量是一个size_t类型的变量，表示要映射的内存的大小；pages成员变量是一个struct page*类型的数组，struct page是用来描述物理页面的数据结构；user_buffer_offset成员变量是一个ptrdiff_t类型的变量，它表示的是内核使用的虚拟地址与进程使用的虚拟地址之间的差值，即如果某个物理页面在内核空间中对应的虚拟地址是addr的话，那么这个物理页面在进程空间对应的虚拟地址就为addr +user_buffer_offset。

再解释一下Binder驱动程序管理这个内存映射地址空间的方法，即是如何管理buffer ~ (buffer + buffer_size)这段地址空间的，这个地址空间被划分为一段一段来管理，每一段是结构体struct binder_buffer来描述：

[cpp] view plain copy print ?

structbinder_buffer{
structlist_headentry;/*freeandallocatedentriesbyaddesss*/
structrb_noderb_node;/*freeentrybysizeorallocatedentry*/
/*byaddress*/
unsignedfree:1;
unsignedallow_user_free:1;
unsignedasync_transaction:1;
unsigneddebug_id:29;
structbinder_transaction*transaction;
structbinder_node*target_node;
size_tdata_size;
size_toffsets_size;
uint8_tdata[0];
};

struct binder_buffer {struct list_head entry; /* free and allocated entries by addesss */struct rb_node rb_node; /* free entry by size or allocated entry *//* by address */unsigned free : 1;unsigned allow_user_free : 1;unsigned async_transaction : 1;unsigned debug_id : 29;struct binder_transaction *transaction;struct binder_node *target_node;size_t data_size;size_t offsets_size;uint8_t data[0];};

每一个binder_buffer通过其成员entry按从低址到高地址连入到struct binder_proc中的buffers表示的链表中去，同时，每一个binder_buffer又分为正在使用的和空闲的，通过free成员变量来区分，空闲的binder_buffer通过成员变量rb_node连入到struct binder_proc中的free_buffers表示的红黑树中去，正在使用的binder_buffer通过成员变量rb_node连入到struct binder_proc中的allocated_buffers表示的红黑树中去。这样做当然是为了方便查询和维护这块地址空间了，这一点我们可以从其它的代码中看到，等遇到的时候我们再分析。

终于可以回到binder_mmap这个函数来了，首先是对参数作一些健康体检（sanity check），例如，要映射的内存大小不能超过SIZE_4M，即4M，回到service_manager.c中的main 函数，这里传进来的值是128 * 1024个字节，即128K，这个检查没有问题。通过健康体检后，调用get_vm_area函数获得一个空闲的vm_struct区间，并初始化proc结构体的buffer、user_buffer_offset、pages和buffer_size和成员变量，接着调用binder_update_page_range来为虚拟地址空间proc->buffer ~ proc->buffer + PAGE_SIZE分配一个空闲的物理页面，同时这段地址空间使用一个binder_buffer来描述，分别插入到proc->buffers链表和proc->free_buffers红黑树中去，最后，还初始化了proc结构体的free_async_space、files和vma三个成员变量。

这里，我们继续进入到binder_update_page_range函数中去看一下Binder驱动程序是如何实现把一个物理页面同时映射到内核空间和进程空间去的：

[cpp] view plain copy print ?

staticintbinder_update_page_range(structbinder_proc*proc,intallocate,
void*start,void*end,structvm_area_struct*vma)
{
void*page_addr;
unsignedlonguser_page_addr;
structvm_structtmp_area;
structpage**page;
structmm_struct*mm;
if(binder_debug_mask&BINDER_DEBUG_BUFFER_ALLOC)
printk(KERN_INFO"binder:%d:%spages%p-%p\n",
proc->pid,allocate?"allocate":"free",start,end);
if(end<=start)
return0;
if(vma)
mm=NULL;
else
mm=get_task_mm(proc->tsk);
if(mm){
down_write(&mm->mmap_sem);
vma=proc->vma;
}
if(allocate==0)
gotofree_range;
if(vma==NULL){
printk(KERN_ERR"binder:%d:binder_alloc_buffailedto"
"mappagesinuserspace,novma\n",proc->pid);
gotoerr_no_vma;
}
for(page_addr=start;page_addr<end;page_addr+=PAGE_SIZE){
intret;
structpage**page_array_ptr;
page=&proc->pages[(page_addr-proc->buffer)/PAGE_SIZE];
BUG_ON(*page);
*page=alloc_page(GFP_KERNEL|__GFP_ZERO);
if(*page==NULL){
printk(KERN_ERR"binder:%d:binder_alloc_buffailed"
"forpageat%p\n",proc->pid,page_addr);
gotoerr_alloc_page_failed;
}
tmp_area.addr=page_addr;
tmp_area.size=PAGE_SIZE+PAGE_SIZE/*guardpage?*/;
page_array_ptr=page;
ret=map_vm_area(&tmp_area,PAGE_KERNEL,&page_array_ptr);
if(ret){
printk(KERN_ERR"binder:%d:binder_alloc_buffailed"
"tomappageat%pinkernel\n",
proc->pid,page_addr);
gotoerr_map_kernel_failed;
}
user_page_addr=
(uintptr_t)page_addr+proc->user_buffer_offset;
ret=vm_insert_page(vma,user_page_addr,page[0]);
if(ret){
printk(KERN_ERR"binder:%d:binder_alloc_buffailed"
"tomappageat%lxinuserspace\n",
proc->pid,user_page_addr);
gotoerr_vm_insert_page_failed;
}
/*vm_insert_pagedoesnotseemtoincrementtherefcount*/
}
if(mm){
up_write(&mm->mmap_sem);
mmput(mm);
}
return0;
free_range:
for(page_addr=end-PAGE_SIZE;page_addr>=start;
page_addr-=PAGE_SIZE){
page=&proc->pages[(page_addr-proc->buffer)/PAGE_SIZE];
if(vma)
zap_page_range(vma,(uintptr_t)page_addr+
proc->user_buffer_offset,PAGE_SIZE,NULL);
err_vm_insert_page_failed:
unmap_kernel_range((unsignedlong)page_addr,PAGE_SIZE);
err_map_kernel_failed:
__free_page(*page);
*page=NULL;
err_alloc_page_failed:
;
}
err_no_vma:
if(mm){
up_write(&mm->mmap_sem);
mmput(mm);
}
return-ENOMEM;
}

static int binder_update_page_range(struct binder_proc *proc, int allocate,void *start, void *end, struct vm_area_struct *vma){void *page_addr;unsigned long user_page_addr;struct vm_struct tmp_area;struct page **page;struct mm_struct *mm;if (binder_debug_mask & BINDER_DEBUG_BUFFER_ALLOC)printk(KERN_INFO "binder: %d: %s pages %p-%p\n",       proc->pid, allocate ? "allocate" : "free", start, end);if (end <= start)return 0;if (vma)mm = NULL;elsemm = get_task_mm(proc->tsk);if (mm) {down_write(&mm->mmap_sem);vma = proc->vma;}if (allocate == 0)goto free_range;if (vma == NULL) {printk(KERN_ERR "binder: %d: binder_alloc_buf failed to "       "map pages in userspace, no vma\n", proc->pid);goto err_no_vma;}for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) {int ret;struct page **page_array_ptr;page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE];BUG_ON(*page);*page = alloc_page(GFP_KERNEL | __GFP_ZERO);if (*page == NULL) {printk(KERN_ERR "binder: %d: binder_alloc_buf failed "       "for page at %p\n", proc->pid, page_addr);goto err_alloc_page_failed;}tmp_area.addr = page_addr;tmp_area.size = PAGE_SIZE + PAGE_SIZE /* guard page? */;page_array_ptr = page;ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr);if (ret) {printk(KERN_ERR "binder: %d: binder_alloc_buf failed "       "to map page at %p in kernel\n",       proc->pid, page_addr);goto err_map_kernel_failed;}user_page_addr =(uintptr_t)page_addr + proc->user_buffer_offset;ret = vm_insert_page(vma, user_page_addr, page[0]);if (ret) {printk(KERN_ERR "binder: %d: binder_alloc_buf failed "       "to map page at %lx in userspace\n",       proc->pid, user_page_addr);goto err_vm_insert_page_failed;}/* vm_insert_page does not seem to increment the refcount */}if (mm) {up_write(&mm->mmap_sem);mmput(mm);}return 0;free_range:for (page_addr = end - PAGE_SIZE; page_addr >= start;     page_addr -= PAGE_SIZE) {page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE];if (vma)zap_page_range(vma, (uintptr_t)page_addr +proc->user_buffer_offset, PAGE_SIZE, NULL);err_vm_insert_page_failed:unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE);err_map_kernel_failed:__free_page(*page);*page = NULL;err_alloc_page_failed:;}err_no_vma:if (mm) {up_write(&mm->mmap_sem);mmput(mm);}return -ENOMEM;}

这个函数既可以分配物理页面，也可以用来释放物理页面，通过allocate参数来区别，这里我们只关注分配物理页面的情况。要分配物理页面的虚拟地址空间范围为(start ~ end)，函数前面的一些检查逻辑就不看了，直接看中间的for循环：

[cpp] view plain copy print ?

for(page_addr=start;page_addr<end;page_addr+=PAGE_SIZE){
intret;
structpage**page_array_ptr;
page=&proc->pages[(page_addr-proc->buffer)/PAGE_SIZE];
BUG_ON(*page);
*page=alloc_page(GFP_KERNEL|__GFP_ZERO);
if(*page==NULL){
printk(KERN_ERR"binder:%d:binder_alloc_buffailed"
"forpageat%p\n",proc->pid,page_addr);
gotoerr_alloc_page_failed;
}
tmp_area.addr=page_addr;
tmp_area.size=PAGE_SIZE+PAGE_SIZE/*guardpage?*/;
page_array_ptr=page;
ret=map_vm_area(&tmp_area,PAGE_KERNEL,&page_array_ptr);
if(ret){
printk(KERN_ERR"binder:%d:binder_alloc_buffailed"
"tomappageat%pinkernel\n",
proc->pid,page_addr);
gotoerr_map_kernel_failed;
}
user_page_addr=
(uintptr_t)page_addr+proc->user_buffer_offset;
ret=vm_insert_page(vma,user_page_addr,page[0]);
if(ret){
printk(KERN_ERR"binder:%d:binder_alloc_buffailed"
"tomappageat%lxinuserspace\n",
proc->pid,user_page_addr);
gotoerr_vm_insert_page_failed;
}
/*vm_insert_pagedoesnotseemtoincrementtherefcount*/
}

for (page_addr = start; page_addr < end; page_addr += PAGE_SIZE) {int ret;struct page **page_array_ptr;page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE];BUG_ON(*page);*page = alloc_page(GFP_KERNEL | __GFP_ZERO);if (*page == NULL) {printk(KERN_ERR "binder: %d: binder_alloc_buf failed "       "for page at %p\n", proc->pid, page_addr);goto err_alloc_page_failed;}tmp_area.addr = page_addr;tmp_area.size = PAGE_SIZE + PAGE_SIZE /* guard page? */;page_array_ptr = page;ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr);if (ret) {printk(KERN_ERR "binder: %d: binder_alloc_buf failed "       "to map page at %p in kernel\n",       proc->pid, page_addr);goto err_map_kernel_failed;}user_page_addr =(uintptr_t)page_addr + proc->user_buffer_offset;ret = vm_insert_page(vma, user_page_addr, page[0]);if (ret) {printk(KERN_ERR "binder: %d: binder_alloc_buf failed "       "to map page at %lx in userspace\n",       proc->pid, user_page_addr);goto err_vm_insert_page_failed;}/* vm_insert_page does not seem to increment the refcount */}

首先是调用alloc_page来分配一个物理页面，这个函数返回一个struct page物理页面描述符，根据这个描述的内容初始化好struct vm_struct tmp_area结构体，然后通过map_vm_area将这个物理页面插入到tmp_area描述的内核空间去，接着通过page_addr + proc->user_buffer_offset获得进程虚拟空间地址，并通过vm_insert_page函数将这个物理页面插入到进程地址空间去，参数vma代表了要插入的进程的地址空间。
这样，frameworks/base/cmds/servicemanager/binder.c文件中的binder_open函数就描述完了，回到frameworks/base/cmds/servicemanager/service_manager.c文件中的main函数，下一步就是调用binder_become_context_manager来通知Binder驱动程序自己是Binder机制的上下文管理者，即守护进程。binder_become_context_manager函数位于frameworks/base/cmds/servicemanager/binder.c文件中：

[cpp] view plain copy print ?

intbinder_become_context_manager(structbinder_state*bs)
{
returnioctl(bs->fd,BINDER_SET_CONTEXT_MGR,0);
}

int binder_become_context_manager(struct binder_state *bs){    return ioctl(bs->fd, BINDER_SET_CONTEXT_MGR, 0);}

这里通过调用ioctl文件操作函数来通知Binder驱动程序自己是守护进程，命令号是BINDER_SET_CONTEXT_MGR，没有参数。BINDER_SET_CONTEXT_MGR定义为：

[cpp] view plain copy print ?

#defineBINDER_SET_CONTEXT_MGR_IOW('b',7,int)

#defineBINDER_SET_CONTEXT_MGR_IOW('b', 7, int)

这样就进入到Binder驱动程序的binder_ioctl函数，我们只关注BINDER_SET_CONTEXT_MGR命令：

[cpp] view plain copy print ?

staticlongbinder_ioctl(structfile*filp,unsignedintcmd,unsignedlongarg)
{
intret;
structbinder_proc*proc=filp->private_data;
structbinder_thread*thread;
unsignedintsize=_IOC_SIZE(cmd);
void__user*ubuf=(void__user*)arg;
/*printk(KERN_INFO"binder_ioctl:%d:%d%x%lx\n",proc->pid,current->pid,cmd,arg);*/
ret=wait_event_interruptible(binder_user_error_wait,binder_stop_on_user_error<2);
if(ret)
returnret;
mutex_lock(&binder_lock);
thread=binder_get_thread(proc);
if(thread==NULL){
ret=-ENOMEM;
gotoerr;
}
switch(cmd){
......
caseBINDER_SET_CONTEXT_MGR:
if(binder_context_mgr_node!=NULL){
printk(KERN_ERR"binder:BINDER_SET_CONTEXT_MGRalreadyset\n");
ret=-EBUSY;
gotoerr;
}
if(binder_context_mgr_uid!=-1){
if(binder_context_mgr_uid!=current->cred->euid){
printk(KERN_ERR"binder:BINDER_SET_"
"CONTEXT_MGRbaduid%d!=%d\n",
current->cred->euid,
binder_context_mgr_uid);
ret=-EPERM;
gotoerr;
}
}else
binder_context_mgr_uid=current->cred->euid;
binder_context_mgr_node=binder_new_node(proc,NULL,NULL);
if(binder_context_mgr_node==NULL){
ret=-ENOMEM;
gotoerr;
}
binder_context_mgr_node->local_weak_refs++;
binder_context_mgr_node->local_strong_refs++;
binder_context_mgr_node->has_strong_ref=1;
binder_context_mgr_node->has_weak_ref=1;
break;
......
default:
ret=-EINVAL;
gotoerr;
}
ret=0;
err:
if(thread)
thread->looper&=~BINDER_LOOPER_STATE_NEED_RETURN;
mutex_unlock(&binder_lock);
wait_event_interruptible(binder_user_error_wait,binder_stop_on_user_error<2);
if(ret&&ret!=-ERESTARTSYS)
printk(KERN_INFO"binder:%d:%dioctl%x%lxreturned%d\n",proc->pid,current->pid,cmd,arg,ret);
returnret;
}

static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg){int ret;struct binder_proc *proc = filp->private_data;struct binder_thread *thread;unsigned int size = _IOC_SIZE(cmd);void __user *ubuf = (void __user *)arg;/*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);if (ret)return ret;mutex_lock(&binder_lock);thread = binder_get_thread(proc);if (thread == NULL) {ret = -ENOMEM;goto err;}switch (cmd) {        ......case BINDER_SET_CONTEXT_MGR:if (binder_context_mgr_node != NULL) {printk(KERN_ERR "binder: BINDER_SET_CONTEXT_MGR already set\n");ret = -EBUSY;goto err;}if (binder_context_mgr_uid != -1) {if (binder_context_mgr_uid != current->cred->euid) {printk(KERN_ERR "binder: BINDER_SET_""CONTEXT_MGR bad uid %d != %d\n",current->cred->euid,binder_context_mgr_uid);ret = -EPERM;goto err;}} elsebinder_context_mgr_uid = current->cred->euid;binder_context_mgr_node = binder_new_node(proc, NULL, NULL);if (binder_context_mgr_node == NULL) {ret = -ENOMEM;goto err;}binder_context_mgr_node->local_weak_refs++;binder_context_mgr_node->local_strong_refs++;binder_context_mgr_node->has_strong_ref = 1;binder_context_mgr_node->has_weak_ref = 1;break;        ......default:ret = -EINVAL;goto err;}ret = 0;err:if (thread)thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN;mutex_unlock(&binder_lock);wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);if (ret && ret != -ERESTARTSYS)printk(KERN_INFO "binder: %d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret);return ret;}

继续分析这个函数之前，又要解释两个数据结构了，一个是struct binder_thread结构体，顾名思久，它表示一个线程，这里就是执行binder_become_context_manager函数的线程了。

[cpp] view plain copy print ?

structbinder_thread{
structbinder_proc*proc;
structrb_noderb_node;
intpid;
intlooper;
structbinder_transaction*transaction_stack;
structlist_headtodo;
uint32_treturn_error;/*Writefailed,returnerrorcodeinreadbuf*/
uint32_treturn_error2;/*Writefailed,returnerrorcodeinread*/
/*buffer.Usedwhensendingareplytoadeadprocessthat*/
/*wearealsowaitingon*/
wait_queue_head_twait;
structbinder_statsstats;
};

struct binder_thread {struct binder_proc *proc;struct rb_node rb_node;int pid;int looper;struct binder_transaction *transaction_stack;struct list_head todo;uint32_t return_error; /* Write failed, return error code in read buf */uint32_t return_error2; /* Write failed, return error code in read *//* buffer. Used when sending a reply to a dead process that *//* we are also waiting on */wait_queue_head_t wait;struct binder_stats stats;};

proc表示这个线程所属的进程。struct binder_proc有一个成员变量threads，它的类型是rb_root，它表示一查红黑树，把属于这个进程的所有线程都组织起来，struct binder_thread的成员变量rb_node就是用来链入这棵红黑树的节点了。looper成员变量表示线程的状态，它可以取下面这几个值：

[cpp] view plain copy print ?

enum{
BINDER_LOOPER_STATE_REGISTERED=0x01,
BINDER_LOOPER_STATE_ENTERED=0x02,
BINDER_LOOPER_STATE_EXITED=0x04,
BINDER_LOOPER_STATE_INVALID=0x08,
BINDER_LOOPER_STATE_WAITING=0x10,
BINDER_LOOPER_STATE_NEED_RETURN=0x20
};

enum {BINDER_LOOPER_STATE_REGISTERED  = 0x01,BINDER_LOOPER_STATE_ENTERED     = 0x02,BINDER_LOOPER_STATE_EXITED      = 0x04,BINDER_LOOPER_STATE_INVALID     = 0x08,BINDER_LOOPER_STATE_WAITING     = 0x10,BINDER_LOOPER_STATE_NEED_RETURN = 0x20};

其余的成员变量，transaction_stack表示线程正在处理的事务，todo表示发往该线程的数据列表，return_error和return_error2表示操作结果返回码，wait用来阻塞线程等待某个事件的发生，stats用来保存一些统计信息。这些成员变量遇到的时候再分析它们的作用。

另外一个数据结构是struct binder_node，它表示一个binder实体：

[cpp] view plain copy print ?

structbinder_node{
intdebug_id;
structbinder_workwork;
union{
structrb_noderb_node;
structhlist_nodedead_node;
};
structbinder_proc*proc;
structhlist_headrefs;
intinternal_strong_refs;
intlocal_weak_refs;
intlocal_strong_refs;
void__user*ptr;
void__user*cookie;
unsignedhas_strong_ref:1;
unsignedpending_strong_ref:1;
unsignedhas_weak_ref:1;
unsignedpending_weak_ref:1;
unsignedhas_async_transaction:1;
unsignedaccept_fds:1;
intmin_priority:8;
structlist_headasync_todo;
};

struct binder_node {int debug_id;struct binder_work work;union {struct rb_node rb_node;struct hlist_node dead_node;};struct binder_proc *proc;struct hlist_head refs;int internal_strong_refs;int local_weak_refs;int local_strong_refs;void __user *ptr;void __user *cookie;unsigned has_strong_ref : 1;unsigned pending_strong_ref : 1;unsigned has_weak_ref : 1;unsigned pending_weak_ref : 1;unsigned has_async_transaction : 1;unsigned accept_fds : 1;int min_priority : 8;struct list_head async_todo;};

rb_node和dead_node组成一个联合体。如果这个Binder实体还在正常使用，则使用rb_node来连入proc->nodes所表示的红黑树的节点，这棵红黑树用来组织属于这个进程的所有Binder实体；如果这个Binder实体所属的进程已经销毁，而这个Binder实体又被其它进程所引用，则这个Binder实体通过dead_node进入到一个哈希表中去存放。proc成员变量就是表示这个Binder实例所属于进程了。refs成员变量把所有引用了该Binder实体的Binder引用连接起来构成一个链表。internal_strong_refs、local_weak_refs和local_strong_refs表示这个Binder实体的引用计数。ptr和cookie成员变量分别表示这个Binder实体在用户空间的地址以及附加数据。其余的成员变量就不描述了，遇到的时候再分析。

现在回到binder_ioctl函数中，首先是通过filp->private_data获得proc变量，这里binder_mmap函数是一样的。接着通过binder_get_thread函数获得线程信息，我们来看一下这个函数：

[cpp] view plain copy print ?

staticstructbinder_thread*binder_get_thread(structbinder_proc*proc)
{
structbinder_thread*thread=NULL;
structrb_node*parent=NULL;
structrb_node**p=&proc->threads.rb_node;
while(*p){
parent=*p;
thread=rb_entry(parent,structbinder_thread,rb_node);
if(current->pid<thread->pid)
p=&(*p)->rb_left;
elseif(current->pid>thread->pid)
p=&(*p)->rb_right;
else
break;
}
if(*p==NULL){
thread=kzalloc(sizeof(*thread),GFP_KERNEL);
if(thread==NULL)
returnNULL;
binder_stats.obj_created[BINDER_STAT_THREAD]++;
thread->proc=proc;
thread->pid=current->pid;
init_waitqueue_head(&thread->wait);
INIT_LIST_HEAD(&thread->todo);
rb_link_node(&thread->rb_node,parent,p);
rb_insert_color(&thread->rb_node,&proc->threads);
thread->looper|=BINDER_LOOPER_STATE_NEED_RETURN;
thread->return_error=BR_OK;
thread->return_error2=BR_OK;
}
returnthread;
}

static struct binder_thread *binder_get_thread(struct binder_proc *proc){struct binder_thread *thread = NULL;struct rb_node *parent = NULL;struct rb_node **p = &proc->threads.rb_node;while (*p) {parent = *p;thread = rb_entry(parent, struct binder_thread, rb_node);if (current->pid < thread->pid)p = &(*p)->rb_left;else if (current->pid > thread->pid)p = &(*p)->rb_right;elsebreak;}if (*p == NULL) {thread = kzalloc(sizeof(*thread), GFP_KERNEL);if (thread == NULL)return NULL;binder_stats.obj_created[BINDER_STAT_THREAD]++;thread->proc = proc;thread->pid = current->pid;init_waitqueue_head(&thread->wait);INIT_LIST_HEAD(&thread->todo);rb_link_node(&thread->rb_node, parent, p);rb_insert_color(&thread->rb_node, &proc->threads);thread->looper |= BINDER_LOOPER_STATE_NEED_RETURN;thread->return_error = BR_OK;thread->return_error2 = BR_OK;}return thread;}

这里把当前线程current的pid作为键值，在进程proc->threads表示的红黑树中进行查找，看是否已经为当前线程创建过了binder_thread信息。在这个场景下，由于当前线程是第一次进到这里，所以肯定找不到，即*p == NULL成立，于是，就为当前线程创建一个线程上下文信息结构体binder_thread，并初始化相应成员变量，并插入到proc->threads所表示的红黑树中去，下次要使用时就可以从proc中找到了。注意，这里的thread->looper =BINDER_LOOPER_STATE_NEED_RETURN。

回到binder_ioctl函数，继续往下面，有两个全局变量binder_context_mgr_node和binder_context_mgr_uid，它定义如下：

[cpp] view plain copy print ?

staticstructbinder_node*binder_context_mgr_node;
staticuid_tbinder_context_mgr_uid=-1;

static struct binder_node *binder_context_mgr_node;static uid_t binder_context_mgr_uid = -1;

binder_context_mgr_node用来表示Service Manager实体，binder_context_mgr_uid表示Service Manager守护进程的uid。在这个场景下，由于当前线程是第一次进到这里，所以binder_context_mgr_node为NULL，binder_context_mgr_uid为-1，于是初始化binder_context_mgr_uid为current->cred->euid，这样，当前线程就成为Binder机制的守护进程了，并且通过binder_new_node为Service Manager创建Binder实体：

[cpp] view plain copy print ?

staticstructbinder_node*
binder_new_node(structbinder_proc*proc,void__user*ptr,void__user*cookie)
{
structrb_node**p=&proc->nodes.rb_node;
structrb_node*parent=NULL;
structbinder_node*node;
while(*p){
parent=*p;
node=rb_entry(parent,structbinder_node,rb_node);
if(ptr<node->ptr)
p=&(*p)->rb_left;
elseif(ptr>node->ptr)
p=&(*p)->rb_right;
else
returnNULL;
}
node=kzalloc(sizeof(*node),GFP_KERNEL);
if(node==NULL)
returnNULL;
binder_stats.obj_created[BINDER_STAT_NODE]++;
rb_link_node(&node->rb_node,parent,p);
rb_insert_color(&node->rb_node,&proc->nodes);
node->debug_id=++binder_last_id;
node->proc=proc;
node->ptr=ptr;
node->cookie=cookie;
node->work.type=BINDER_WORK_NODE;
INIT_LIST_HEAD(&node->work.entry);
INIT_LIST_HEAD(&node->async_todo);
if(binder_debug_mask&BINDER_DEBUG_INTERNAL_REFS)
printk(KERN_INFO"binder:%d:%dnode%du%pc%pcreated\n",
proc->pid,current->pid,node->debug_id,
node->ptr,node->cookie);
returnnode;
}

static struct binder_node *binder_new_node(struct binder_proc *proc, void __user *ptr, void __user *cookie){struct rb_node **p = &proc->nodes.rb_node;struct rb_node *parent = NULL;struct binder_node *node;while (*p) {parent = *p;node = rb_entry(parent, struct binder_node, rb_node);if (ptr < node->ptr)p = &(*p)->rb_left;else if (ptr > node->ptr)p = &(*p)->rb_right;elsereturn NULL;}node = kzalloc(sizeof(*node), GFP_KERNEL);if (node == NULL)return NULL;binder_stats.obj_created[BINDER_STAT_NODE]++;rb_link_node(&node->rb_node, parent, p);rb_insert_color(&node->rb_node, &proc->nodes);node->debug_id = ++binder_last_id;node->proc = proc;node->ptr = ptr;node->cookie = cookie;node->work.type = BINDER_WORK_NODE;INIT_LIST_HEAD(&node->work.entry);INIT_LIST_HEAD(&node->async_todo);if (binder_debug_mask & BINDER_DEBUG_INTERNAL_REFS)printk(KERN_INFO "binder: %d:%d node %d u%p c%p created\n",       proc->pid, current->pid, node->debug_id,       node->ptr, node->cookie);return node;}

注意，这里传进来的ptr和cookie均为NULL。函数首先检查proc->nodes红黑树中是否已经存在以ptr为键值的node，如果已经存在，就返回NULL。在这个场景下，由于当前线程是第一次进入到这里，所以肯定不存在，于是就新建了一个ptr为NULL的binder_node，并且初始化其它成员变量，并插入到proc->nodes红黑树中去。

binder_new_node返回到binder_ioctl函数后，就把新建的binder_node指针保存在binder_context_mgr_node中了，紧接着，又初始化了binder_context_mgr_node的引用计数值。

这样，BINDER_SET_CONTEXT_MGR命令就执行完毕了，binder_ioctl函数返回之前，执行了下面语句：

[cpp] view plain copy print ?

if(thread)
thread->looper&=~BINDER_LOOPER_STATE_NEED_RETURN;

if (thread)thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN;

回忆上面执行binder_get_thread时，thread->looper =BINDER_LOOPER_STATE_NEED_RETURN，执行了这条语句后，thread->looper = 0。

回到frameworks/base/cmds/servicemanager/service_manager.c文件中的main函数，下一步就是调用binder_loop函数进入循环，等待Client来请求了。binder_loop函数定义在frameworks/base/cmds/servicemanager/binder.c文件中：

[cpp] view plain copy print ?

voidbinder_loop(structbinder_state*bs,binder_handlerfunc)
{
intres;
structbinder_write_readbwr;
unsignedreadbuf[32];
bwr.write_size=0;
bwr.write_consumed=0;
bwr.write_buffer=0;
readbuf[0]=BC_ENTER_LOOPER;
binder_write(bs,readbuf,sizeof(unsigned));
for(;;){
bwr.read_size=sizeof(readbuf);
bwr.read_consumed=0;
bwr.read_buffer=(unsigned)readbuf;
res=ioctl(bs->fd,BINDER_WRITE_READ,&bwr);
if(res<0){
LOGE("binder_loop:ioctlfailed(%s)\n",strerror(errno));
break;
}
res=binder_parse(bs,0,readbuf,bwr.read_consumed,func);
if(res==0){
LOGE("binder_loop:unexpectedreply?!\n");
break;
}
if(res<0){
LOGE("binder_loop:ioerror%d%s\n",res,strerror(errno));
break;
}
}
}

void binder_loop(struct binder_state *bs, binder_handler func){    int res;    struct binder_write_read bwr;    unsigned readbuf[32];    bwr.write_size = 0;    bwr.write_consumed = 0;    bwr.write_buffer = 0;        readbuf[0] = BC_ENTER_LOOPER;    binder_write(bs, readbuf, sizeof(unsigned));    for (;;) {        bwr.read_size = sizeof(readbuf);        bwr.read_consumed = 0;        bwr.read_buffer = (unsigned) readbuf;        res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);        if (res < 0) {            LOGE("binder_loop: ioctl failed (%s)\n", strerror(errno));            break;        }        res = binder_parse(bs, 0, readbuf, bwr.read_consumed, func);        if (res == 0) {            LOGE("binder_loop: unexpected reply?!\n");            break;        }        if (res < 0) {            LOGE("binder_loop: io error %d %s\n", res, strerror(errno));            break;        }    }}

首先是通过binder_write函数执行BC_ENTER_LOOPER命令告诉Binder驱动程序， Service Manager要进入循环了。

这里又要介绍一下设备文件/dev/binder文件操作函数ioctl的操作码BINDER_WRITE_READ了，首先看定义：

[cpp] view plain copy print ?

#defineBINDER_WRITE_READ_IOWR('b',1,structbinder_write_read)

#define BINDER_WRITE_READ   _IOWR('b', 1, struct binder_write_read)

这个io操作码有一个参数，形式为struct binder_write_read：

[cpp] view plain copy print ?

structbinder_write_read{
signedlongwrite_size;/*bytestowrite*/
signedlongwrite_consumed;/*bytesconsumedbydriver*/
unsignedlongwrite_buffer;
signedlongread_size;/*bytestoread*/
signedlongread_consumed;/*bytesconsumedbydriver*/
unsignedlongread_buffer;
};

struct binder_write_read {signed longwrite_size;/* bytes to write */signed longwrite_consumed;/* bytes consumed by driver */unsigned longwrite_buffer;signed longread_size;/* bytes to read */signed longread_consumed;/* bytes consumed by driver */unsigned longread_buffer;};

这里顺便说一下，用户空间程序和Binder驱动程序交互大多数都是通过BINDER_WRITE_READ命令的，write_bufffer和read_buffer所指向的数据结构还指定了具体要执行的操作，write_bufffer和read_buffer所指向的结构体是structbinder_transaction_data：

[cpp] view plain copy print ?

structbinder_transaction_data{
/*ThefirsttwoareonlyusedforbcTRANSACTIONandbrTRANSACTION,
*identifyingthetargetandcontentsofthetransaction.
*/
union{
size_thandle;/*targetdescriptorofcommandtransaction*/
void*ptr;/*targetdescriptorofreturntransaction*/
}target;
void*cookie;/*targetobjectcookie*/
unsignedintcode;/*transactioncommand*/
/*Generalinformationaboutthetransaction.*/
unsignedintflags;
pid_tsender_pid;
uid_tsender_euid;
size_tdata_size;/*numberofbytesofdata*/
size_toffsets_size;/*numberofbytesofoffsets*/
/*Ifthistransactionisinline,thedataimmediately
*followshere;otherwise,itendswithapointerto
*thedatabuffer.
*/
union{
struct{
/*transactiondata*/
constvoid*buffer;
/*offsetsfrombuffertoflat_binder_objectstructs*/
constvoid*offsets;
}ptr;
uint8_tbuf[8];
}data;
};

struct binder_transaction_data {/* The first two are only used for bcTRANSACTION and brTRANSACTION, * identifying the target and contents of the transaction. */union {size_thandle;/* target descriptor of command transaction */void*ptr;/* target descriptor of return transaction */} target;void*cookie;/* target object cookie */unsigned intcode;/* transaction command *//* General information about the transaction. */unsigned intflags;pid_tsender_pid;uid_tsender_euid;size_tdata_size;/* number of bytes of data */size_toffsets_size;/* number of bytes of offsets *//* If this transaction is inline, the data immediately * follows here; otherwise, it ends with a pointer to * the data buffer. */union {struct {/* transaction data */const void*buffer;/* offsets from buffer to flat_binder_object structs */const void*offsets;} ptr;uint8_tbuf[8];} data;};

有一个联合体target，当这个BINDER_WRITE_READ命令的目标对象是本地Binder实体时，就使用ptr来表示这个对象在本进程中的地址，否则就使用handle来表示这个Binder实体的引用。只有目标对象是Binder实体时，cookie成员变量才有意义，表示一些附加数据，由Binder实体来解释这个个附加数据。code表示要对目标对象请求的命令代码，有很多请求代码，这里就不列举了，在这个场景中，就是BC_ENTER_LOOPER了，用来告诉Binder驱动程序， Service Manager要进入循环了。其余的请求命令代码可以参考kernel/common/drivers/staging/android/binder.h文件中定义的两个枚举类型BinderDriverReturnProtocol和BinderDriverCommandProtocol。

flags成员变量表示事务标志：

[cpp] view plain copy print ?

enumtransaction_flags{
TF_ONE_WAY=0x01,/*thisisaone-waycall:async,noreturn*/
TF_ROOT_OBJECT=0x04,/*contentsarethecomponent'srootobject*/
TF_STATUS_CODE=0x08,/*contentsarea32-bitstatuscode*/
TF_ACCEPT_FDS=0x10,/*allowreplieswithfiledescriptors*/
};

enum transaction_flags {TF_ONE_WAY= 0x01,/* this is a one-way call: async, no return */TF_ROOT_OBJECT= 0x04,/* contents are the component's root object */TF_STATUS_CODE= 0x08,/* contents are a 32-bit status code */TF_ACCEPT_FDS= 0x10,/* allow replies with file descriptors */};

每一个标志位所表示的意义看注释就行了，遇到时再具体分析。

sender_pid和sender_euid表示发送者进程的pid和euid。

data_size表示data.buffer缓冲区的大小，offsets_size表示data.offsets缓冲区的大小。这里需要解释一下data成员变量，命令的真正要传输的数据就保存在data.buffer缓冲区中，前面的一成员变量都是一些用来描述数据的特征的。data.buffer所表示的缓冲区数据分为两类，一类是普通数据，Binder驱动程序不关心，一类是Binder实体或者Binder引用，这需要Binder驱动程序介入处理。为什么呢？想想，如果一个进程A传递了一个Binder实体或Binder引用给进程B，那么，Binder驱动程序就需要介入维护这个Binder实体或者引用的引用计数，防止B进程还在使用这个Binder实体时，A却销毁这个实体，这样的话，B进程就会crash了。所以在传输数据时，如果数据中含有Binder实体和Binder引和，就需要告诉Binder驱动程序它们的具体位置，以便Binder驱动程序能够去维护它们。data.offsets的作用就在这里了，它指定在data.buffer缓冲区中，所有Binder实体或者引用的偏移位置。每一个Binder实体或者引用，通过struct flat_binder_object 来表示：

[cpp] view plain copy print ?

/*
*ThisistheflattenedrepresentationofaBinderobjectfortransfer
*betweenprocesses.The'offsets'suppliedaspartofabindertransaction
*containsoffsetsintothedatawherethesestructuresoccur.TheBinder
*drivertakescareofre-writingthestructuretypeanddataasitmoves
*betweenprocesses.
*/
structflat_binder_object{
/*8bytesforlarge_flat_header.*/
unsignedlongtype;
unsignedlongflags;
/*8bytesofdata.*/
union{
void*binder;/*localobject*/
signedlonghandle;/*remoteobject*/
};
/*extradataassociatedwithlocalobject*/
void*cookie;
};

/* * This is the flattened representation of a Binder object for transfer * between processes.  The 'offsets' supplied as part of a binder transaction * contains offsets into the data where these structures occur.  The Binder * driver takes care of re-writing the structure type and data as it moves * between processes. */struct flat_binder_object {/* 8 bytes for large_flat_header. */unsigned longtype;unsigned longflags;/* 8 bytes of data. */union {void*binder;/* local object */signed longhandle;/* remote object */};/* extra data associated with local object */void*cookie;};

type表示Binder对象的类型，它取值如下所示：

[cpp] view plain copy print ?

enum{
BINDER_TYPE_BINDER=B_PACK_CHARS('s','b','*',B_TYPE_LARGE),
BINDER_TYPE_WEAK_BINDER=B_PACK_CHARS('w','b','*',B_TYPE_LARGE),
BINDER_TYPE_HANDLE=B_PACK_CHARS('s','h','*',B_TYPE_LARGE),
BINDER_TYPE_WEAK_HANDLE=B_PACK_CHARS('w','h','*',B_TYPE_LARGE),
BINDER_TYPE_FD=B_PACK_CHARS('f','d','*',B_TYPE_LARGE),
};

enum {BINDER_TYPE_BINDER= B_PACK_CHARS('s', 'b', '*', B_TYPE_LARGE),BINDER_TYPE_WEAK_BINDER= B_PACK_CHARS('w', 'b', '*', B_TYPE_LARGE),BINDER_TYPE_HANDLE= B_PACK_CHARS('s', 'h', '*', B_TYPE_LARGE),BINDER_TYPE_WEAK_HANDLE= B_PACK_CHARS('w', 'h', '*', B_TYPE_LARGE),BINDER_TYPE_FD= B_PACK_CHARS('f', 'd', '*', B_TYPE_LARGE),};

flags表示Binder对象的标志，该域只对第一次传递Binder实体时有效，因为此刻驱动需要在内核中创建相应的实体节点，有些参数需要从该域取出。

type和flags的具体意义可以参考Android Binder设计与实现一文。

最后，binder表示这是一个Binder实体，handle表示这是一个Binder引用，当这是一个Binder实体时，cookie才有意义，表示附加数据，由进程自己解释。

数据结构分析完了，回到binder_loop函数中，首先是执行BC_ENTER_LOOPER命令：

[cpp] view plain copy print ?

readbuf[0]=BC_ENTER_LOOPER;
binder_write(bs,readbuf,sizeof(unsigned));

    readbuf[0] = BC_ENTER_LOOPER;    binder_write(bs, readbuf, sizeof(unsigned));

进入到binder_write函数中：

[cpp] view plain copy print ?

intbinder_write(structbinder_state*bs,void*data,unsignedlen)
{
structbinder_write_readbwr;
intres;
bwr.write_size=len;
bwr.write_consumed=0;
bwr.write_buffer=(unsigned)data;
bwr.read_size=0;
bwr.read_consumed=0;
bwr.read_buffer=0;
res=ioctl(bs->fd,BINDER_WRITE_READ,&bwr);
if(res<0){
fprintf(stderr,"binder_write:ioctlfailed(%s)\n",
strerror(errno));
}
returnres;
}

int binder_write(struct binder_state *bs, void *data, unsigned len){    struct binder_write_read bwr;    int res;    bwr.write_size = len;    bwr.write_consumed = 0;    bwr.write_buffer = (unsigned) data;    bwr.read_size = 0;    bwr.read_consumed = 0;    bwr.read_buffer = 0;    res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);    if (res < 0) {        fprintf(stderr,"binder_write: ioctl failed (%s)\n",                strerror(errno));    }    return res;}

注意这里的binder_write_read变量bwr，write_size大小为4，表示write_buffer缓冲区大小为4，它的内容是一个BC_ENTER_LOOPER命令协议号，read_buffer为空。接着又是调用ioctl函数进入到Binder驱动程序的binder_ioctl函数，这里我们也只是关注BC_ENTER_LOOPER相关的逻辑：

[cpp] view plain copy print ?

staticlongbinder_ioctl(structfile*filp,unsignedintcmd,unsignedlongarg)
{
intret;
structbinder_proc*proc=filp->private_data;
structbinder_thread*thread;
unsignedintsize=_IOC_SIZE(cmd);
void__user*ubuf=(void__user*)arg;
/*printk(KERN_INFO"binder_ioctl:%d:%d%x%lx\n",proc->pid,current->pid,cmd,arg);*/
ret=wait_event_interruptible(binder_user_error_wait,binder_stop_on_user_error<2);
if(ret)
returnret;
mutex_lock(&binder_lock);
thread=binder_get_thread(proc);
if(thread==NULL){
ret=-ENOMEM;
gotoerr;
}
switch(cmd){
caseBINDER_WRITE_READ:{
structbinder_write_readbwr;
if(size!=sizeof(structbinder_write_read)){
ret=-EINVAL;
gotoerr;
}
if(copy_from_user(&bwr,ubuf,sizeof(bwr))){
ret=-EFAULT;
gotoerr;
}
if(binder_debug_mask&BINDER_DEBUG_READ_WRITE)
printk(KERN_INFO"binder:%d:%dwrite%ldat%08lx,read%ldat%08lx\n",
proc->pid,thread->pid,bwr.write_size,bwr.write_buffer,bwr.read_size,bwr.read_buffer);
if(bwr.write_size>0){
ret=binder_thread_write(proc,thread,(void__user*)bwr.write_buffer,bwr.write_size,&bwr.write_consumed);
if(ret<0){
bwr.read_consumed=0;
if(copy_to_user(ubuf,&bwr,sizeof(bwr)))
ret=-EFAULT;
gotoerr;
}
}
if(bwr.read_size>0){
ret=binder_thread_read(proc,thread,(void__user*)bwr.read_buffer,bwr.read_size,&bwr.read_consumed,filp->f_flags&O_NONBLOCK);
if(!list_empty(&proc->todo))
wake_up_interruptible(&proc->wait);
if(ret<0){
if(copy_to_user(ubuf,&bwr,sizeof(bwr)))
ret=-EFAULT;
gotoerr;
}
}
if(binder_debug_mask&BINDER_DEBUG_READ_WRITE)
printk(KERN_INFO"binder:%d:%dwrote%ldof%ld,readreturn%ldof%ld\n",
proc->pid,thread->pid,bwr.write_consumed,bwr.write_size,bwr.read_consumed,bwr.read_size);
if(copy_to_user(ubuf,&bwr,sizeof(bwr))){
ret=-EFAULT;
gotoerr;
}
break;
}
......
default:
ret=-EINVAL;
gotoerr;
}
ret=0;
err:
if(thread)
thread->looper&=~BINDER_LOOPER_STATE_NEED_RETURN;
mutex_unlock(&binder_lock);
wait_event_interruptible(binder_user_error_wait,binder_stop_on_user_error<2);
if(ret&&ret!=-ERESTARTSYS)
printk(KERN_INFO"binder:%d:%dioctl%x%lxreturned%d\n",proc->pid,current->pid,cmd,arg,ret);
returnret;
}

static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg){int ret;struct binder_proc *proc = filp->private_data;struct binder_thread *thread;unsigned int size = _IOC_SIZE(cmd);void __user *ubuf = (void __user *)arg;/*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);if (ret)return ret;mutex_lock(&binder_lock);thread = binder_get_thread(proc);if (thread == NULL) {ret = -ENOMEM;goto err;}switch (cmd) {case BINDER_WRITE_READ: {struct binder_write_read bwr;if (size != sizeof(struct binder_write_read)) {ret = -EINVAL;goto err;}if (copy_from_user(&bwr, ubuf, sizeof(bwr))) {ret = -EFAULT;goto err;}if (binder_debug_mask & BINDER_DEBUG_READ_WRITE)printk(KERN_INFO "binder: %d:%d write %ld at %08lx, read %ld at %08lx\n",proc->pid, thread->pid, bwr.write_size, bwr.write_buffer, bwr.read_size, bwr.read_buffer);if (bwr.write_size > 0) {ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed);if (ret < 0) {bwr.read_consumed = 0;if (copy_to_user(ubuf, &bwr, sizeof(bwr)))ret = -EFAULT;goto err;}}if (bwr.read_size > 0) {ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK);if (!list_empty(&proc->todo))wake_up_interruptible(&proc->wait);if (ret < 0) {if (copy_to_user(ubuf, &bwr, sizeof(bwr)))ret = -EFAULT;goto err;}}if (binder_debug_mask & BINDER_DEBUG_READ_WRITE)printk(KERN_INFO "binder: %d:%d wrote %ld of %ld, read return %ld of %ld\n",proc->pid, thread->pid, bwr.write_consumed, bwr.write_size, bwr.read_consumed, bwr.read_size);if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {ret = -EFAULT;goto err;}break;}......default:ret = -EINVAL;goto err;}ret = 0;err:if (thread)thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN;mutex_unlock(&binder_lock);wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);if (ret && ret != -ERESTARTSYS)printk(KERN_INFO "binder: %d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret);return ret;}

函数前面的代码就不解释了，同前面调用binder_become_context_manager是一样的，只不过这里调用binder_get_thread函数获取binder_thread，就能从proc中直接找到了，不需要创建一个新的。

首先是通过copy_from_user(&bwr, ubuf, sizeof(bwr))语句把用户传递进来的参数转换成struct binder_write_read结构体，并保存在本地变量bwr中，这里可以看出bwr.write_size等于4，于是进入binder_thread_write函数，这里我们只关注BC_ENTER_LOOPER相关的代码：

[cpp] view plain copy print ?

int
binder_thread_write(structbinder_proc*proc,structbinder_thread*thread,
void__user*buffer,intsize,signedlong*consumed)
{
uint32_tcmd;
void__user*ptr=buffer+*consumed;
void__user*end=buffer+size;
while(ptr<end&&thread->return_error==BR_OK){
if(get_user(cmd,(uint32_t__user*)ptr))
return-EFAULT;
ptr+=sizeof(uint32_t);
if(_IOC_NR(cmd)<ARRAY_SIZE(binder_stats.bc)){
binder_stats.bc[_IOC_NR(cmd)]++;
proc->stats.bc[_IOC_NR(cmd)]++;
thread->stats.bc[_IOC_NR(cmd)]++;
}
switch(cmd){
......
caseBC_ENTER_LOOPER:
if(binder_debug_mask&BINDER_DEBUG_THREADS)
printk(KERN_INFO"binder:%d:%dBC_ENTER_LOOPER\n",
proc->pid,thread->pid);
if(thread->looper&BINDER_LOOPER_STATE_REGISTERED){
thread->looper|=BINDER_LOOPER_STATE_INVALID;
binder_user_error("binder:%d:%dERROR:"
"BC_ENTER_LOOPERcalledafter"
"BC_REGISTER_LOOPER\n",
proc->pid,thread->pid);
}
thread->looper|=BINDER_LOOPER_STATE_ENTERED;
break;
......
default:
printk(KERN_ERR"binder:%d:%dunknowncommand%d\n",proc->pid,thread->pid,cmd);
return-EINVAL;
}
*consumed=ptr-buffer;
}
return0;
}

intbinder_thread_write(struct binder_proc *proc, struct binder_thread *thread,void __user *buffer, int size, signed long *consumed){uint32_t cmd;void __user *ptr = buffer + *consumed;void __user *end = buffer + size;while (ptr < end && thread->return_error == BR_OK) {if (get_user(cmd, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) {binder_stats.bc[_IOC_NR(cmd)]++;proc->stats.bc[_IOC_NR(cmd)]++;thread->stats.bc[_IOC_NR(cmd)]++;}switch (cmd) {    ......case BC_ENTER_LOOPER:if (binder_debug_mask & BINDER_DEBUG_THREADS)printk(KERN_INFO "binder: %d:%d BC_ENTER_LOOPER\n",proc->pid, thread->pid);if (thread->looper & BINDER_LOOPER_STATE_REGISTERED) {thread->looper |= BINDER_LOOPER_STATE_INVALID;binder_user_error("binder: %d:%d ERROR:"" BC_ENTER_LOOPER called after ""BC_REGISTER_LOOPER\n",proc->pid, thread->pid);}thread->looper |= BINDER_LOOPER_STATE_ENTERED;break;        ......default:printk(KERN_ERR "binder: %d:%d unknown command %d\n", proc->pid, thread->pid, cmd);return -EINVAL;}*consumed = ptr - buffer;}return 0;}

回忆前面执行binder_become_context_manager到binder_ioctl时，调用binder_get_thread函数创建的thread->looper值为0，所以这里执行完BC_ENTER_LOOPER时，thread->looper值就变为BINDER_LOOPER_STATE_ENTERED了，表明当前线程进入循环状态了。

回到binder_ioctl函数，由于bwr.read_size == 0，binder_thread_read函数就不会被执行了，这样，binder_ioctl的任务就完成了。

回到binder_loop函数，进入for循环：

[cpp] view plain copy print ?

for(;;){
bwr.read_size=sizeof(readbuf);
bwr.read_consumed=0;
bwr.read_buffer=(unsigned)readbuf;
res=ioctl(bs->fd,BINDER_WRITE_READ,&bwr);
if(res<0){
LOGE("binder_loop:ioctlfailed(%s)\n",strerror(errno));
break;
}
res=binder_parse(bs,0,readbuf,bwr.read_consumed,func);
if(res==0){
LOGE("binder_loop:unexpectedreply?!\n");
break;
}
if(res<0){
LOGE("binder_loop:ioerror%d%s\n",res,strerror(errno));
break;
}
}

    for (;;) {        bwr.read_size = sizeof(readbuf);        bwr.read_consumed = 0;        bwr.read_buffer = (unsigned) readbuf;        res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);        if (res < 0) {            LOGE("binder_loop: ioctl failed (%s)\n", strerror(errno));            break;        }        res = binder_parse(bs, 0, readbuf, bwr.read_consumed, func);        if (res == 0) {            LOGE("binder_loop: unexpected reply?!\n");            break;        }        if (res < 0) {            LOGE("binder_loop: io error %d %s\n", res, strerror(errno));            break;        }    }

又是执行一个ioctl命令，注意，这里的bwr参数各个成员的值：

[cpp] view plain copy print ?

bwr.write_size=0;
bwr.write_consumed=0;
bwr.write_buffer=0;
readbuf[0]=BC_ENTER_LOOPER;
bwr.read_size=sizeof(readbuf);
bwr.read_consumed=0;
bwr.read_buffer=(unsigned)readbuf;

    bwr.write_size = 0;    bwr.write_consumed = 0;    bwr.write_buffer = 0;    readbuf[0] = BC_ENTER_LOOPER;    bwr.read_size = sizeof(readbuf);    bwr.read_consumed = 0;    bwr.read_buffer = (unsigned) readbuf;

再次进入到binder_ioctl函数：

[cpp] view plain copy print ?

staticlongbinder_ioctl(structfile*filp,unsignedintcmd,unsignedlongarg)
{
intret;
structbinder_proc*proc=filp->private_data;
structbinder_thread*thread;
unsignedintsize=_IOC_SIZE(cmd);
void__user*ubuf=(void__user*)arg;
/*printk(KERN_INFO"binder_ioctl:%d:%d%x%lx\n",proc->pid,current->pid,cmd,arg);*/
ret=wait_event_interruptible(binder_user_error_wait,binder_stop_on_user_error<2);
if(ret)
returnret;
mutex_lock(&binder_lock);
thread=binder_get_thread(proc);
if(thread==NULL){
ret=-ENOMEM;
gotoerr;
}
switch(cmd){
caseBINDER_WRITE_READ:{
structbinder_write_readbwr;
if(size!=sizeof(structbinder_write_read)){
ret=-EINVAL;
gotoerr;
}
if(copy_from_user(&bwr,ubuf,sizeof(bwr))){
ret=-EFAULT;
gotoerr;
}
if(binder_debug_mask&BINDER_DEBUG_READ_WRITE)
printk(KERN_INFO"binder:%d:%dwrite%ldat%08lx,read%ldat%08lx\n",
proc->pid,thread->pid,bwr.write_size,bwr.write_buffer,bwr.read_size,bwr.read_buffer);
if(bwr.write_size>0){
ret=binder_thread_write(proc,thread,(void__user*)bwr.write_buffer,bwr.write_size,&bwr.write_consumed);
if(ret<0){
bwr.read_consumed=0;
if(copy_to_user(ubuf,&bwr,sizeof(bwr)))
ret=-EFAULT;
gotoerr;
}
}
if(bwr.read_size>0){
ret=binder_thread_read(proc,thread,(void__user*)bwr.read_buffer,bwr.read_size,&bwr.read_consumed,filp->f_flags&O_NONBLOCK);
if(!list_empty(&proc->todo))
wake_up_interruptible(&proc->wait);
if(ret<0){
if(copy_to_user(ubuf,&bwr,sizeof(bwr)))
ret=-EFAULT;
gotoerr;
}
}
if(binder_debug_mask&BINDER_DEBUG_READ_WRITE)
printk(KERN_INFO"binder:%d:%dwrote%ldof%ld,readreturn%ldof%ld\n",
proc->pid,thread->pid,bwr.write_consumed,bwr.write_size,bwr.read_consumed,bwr.read_size);
if(copy_to_user(ubuf,&bwr,sizeof(bwr))){
ret=-EFAULT;
gotoerr;
}
break;
}
......
default:
ret=-EINVAL;
gotoerr;
}
ret=0;
err:
if(thread)
thread->looper&=~BINDER_LOOPER_STATE_NEED_RETURN;
mutex_unlock(&binder_lock);
wait_event_interruptible(binder_user_error_wait,binder_stop_on_user_error<2);
if(ret&&ret!=-ERESTARTSYS)
printk(KERN_INFO"binder:%d:%dioctl%x%lxreturned%d\n",proc->pid,current->pid,cmd,arg,ret);
returnret;
}

static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg){int ret;struct binder_proc *proc = filp->private_data;struct binder_thread *thread;unsigned int size = _IOC_SIZE(cmd);void __user *ubuf = (void __user *)arg;/*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);if (ret)return ret;mutex_lock(&binder_lock);thread = binder_get_thread(proc);if (thread == NULL) {ret = -ENOMEM;goto err;}switch (cmd) {case BINDER_WRITE_READ: {struct binder_write_read bwr;if (size != sizeof(struct binder_write_read)) {ret = -EINVAL;goto err;}if (copy_from_user(&bwr, ubuf, sizeof(bwr))) {ret = -EFAULT;goto err;}if (binder_debug_mask & BINDER_DEBUG_READ_WRITE)printk(KERN_INFO "binder: %d:%d write %ld at %08lx, read %ld at %08lx\n",proc->pid, thread->pid, bwr.write_size, bwr.write_buffer, bwr.read_size, bwr.read_buffer);if (bwr.write_size > 0) {ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed);if (ret < 0) {bwr.read_consumed = 0;if (copy_to_user(ubuf, &bwr, sizeof(bwr)))ret = -EFAULT;goto err;}}if (bwr.read_size > 0) {ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK);if (!list_empty(&proc->todo))wake_up_interruptible(&proc->wait);if (ret < 0) {if (copy_to_user(ubuf, &bwr, sizeof(bwr)))ret = -EFAULT;goto err;}}if (binder_debug_mask & BINDER_DEBUG_READ_WRITE)printk(KERN_INFO "binder: %d:%d wrote %ld of %ld, read return %ld of %ld\n",proc->pid, thread->pid, bwr.write_consumed, bwr.write_size, bwr.read_consumed, bwr.read_size);if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {ret = -EFAULT;goto err;}break;}......default:ret = -EINVAL;goto err;}ret = 0;err:if (thread)thread->looper &= ~BINDER_LOOPER_STATE_NEED_RETURN;mutex_unlock(&binder_lock);wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);if (ret && ret != -ERESTARTSYS)printk(KERN_INFO "binder: %d:%d ioctl %x %lx returned %d\n", proc->pid, current->pid, cmd, arg, ret);return ret;}

这次，bwr.write_size等于0，于是不会执行binder_thread_write函数，bwr.read_size等于32，于是进入到binder_thread_read函数：

[cpp] view plain copy print ?

staticint
binder_thread_read(structbinder_proc*proc,structbinder_thread*thread,
void__user*buffer,intsize,signedlong*consumed,intnon_block)
{
void__user*ptr=buffer+*consumed;
void__user*end=buffer+size;
intret=0;
intwait_for_proc_work;
if(*consumed==0){
if(put_user(BR_NOOP,(uint32_t__user*)ptr))
return-EFAULT;
ptr+=sizeof(uint32_t);
}
retry:
wait_for_proc_work=thread->transaction_stack==NULL&&list_empty(&thread->todo);
if(thread->return_error!=BR_OK&&ptr<end){
if(thread->return_error2!=BR_OK){
if(put_user(thread->return_error2,(uint32_t__user*)ptr))
return-EFAULT;
ptr+=sizeof(uint32_t);
if(ptr==end)
gotodone;
thread->return_error2=BR_OK;
}
if(put_user(thread->return_error,(uint32_t__user*)ptr))
return-EFAULT;
ptr+=sizeof(uint32_t);
thread->return_error=BR_OK;
gotodone;
}
thread->looper|=BINDER_LOOPER_STATE_WAITING;
if(wait_for_proc_work)
proc->ready_threads++;
mutex_unlock(&binder_lock);
if(wait_for_proc_work){
if(!(thread->looper&(BINDER_LOOPER_STATE_REGISTERED|
BINDER_LOOPER_STATE_ENTERED))){
binder_user_error("binder:%d:%dERROR:Threadwaiting"
"forprocessworkbeforecallingBC_REGISTER_"
"LOOPERorBC_ENTER_LOOPER(state%x)\n",
proc->pid,thread->pid,thread->looper);
wait_event_interruptible(binder_user_error_wait,binder_stop_on_user_error<2);
}
binder_set_nice(proc->default_priority);
if(non_block){
if(!binder_has_proc_work(proc,thread))
ret=-EAGAIN;
}else
ret=wait_event_interruptible_exclusive(proc->wait,binder_has_proc_work(proc,thread));
}else{
if(non_block){
if(!binder_has_thread_work(thread))
ret=-EAGAIN;
}else
ret=wait_event_interruptible(thread->wait,binder_has_thread_work(thread));
}
.......
}

static intbinder_thread_read(struct binder_proc *proc, struct binder_thread *thread,   void  __user *buffer, int size, signed long *consumed, int non_block){void __user *ptr = buffer + *consumed;void __user *end = buffer + size;int ret = 0;int wait_for_proc_work;if (*consumed == 0) {if (put_user(BR_NOOP, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);}retry:wait_for_proc_work = thread->transaction_stack == NULL && list_empty(&thread->todo);if (thread->return_error != BR_OK && ptr < end) {if (thread->return_error2 != BR_OK) {if (put_user(thread->return_error2, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);if (ptr == end)goto done;thread->return_error2 = BR_OK;}if (put_user(thread->return_error, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);thread->return_error = BR_OK;goto done;}thread->looper |= BINDER_LOOPER_STATE_WAITING;if (wait_for_proc_work)proc->ready_threads++;mutex_unlock(&binder_lock);if (wait_for_proc_work) {if (!(thread->looper & (BINDER_LOOPER_STATE_REGISTERED |BINDER_LOOPER_STATE_ENTERED))) {binder_user_error("binder: %d:%d ERROR: Thread waiting ""for process work before calling BC_REGISTER_""LOOPER or BC_ENTER_LOOPER (state %x)\n",proc->pid, thread->pid, thread->looper);wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);}binder_set_nice(proc->default_priority);if (non_block) {if (!binder_has_proc_work(proc, thread))ret = -EAGAIN;} elseret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread));} else {if (non_block) {if (!binder_has_thread_work(thread))ret = -EAGAIN;} elseret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread));}        .......}

传入的参数*consumed == 0，于是写入一个值BR_NOOP到参数ptr指向的缓冲区中去，即用户传进来的bwr.read_buffer缓冲区。这时候，thread->transaction_stack == NULL，并且thread->todo列表也是空的，这表示当前线程没有事务需要处理，于是wait_for_proc_work为true，表示要去查看proc是否有未处理的事务。当前thread->return_error == BR_OK，这是前面创建binder_thread时初始化设置的。于是继续往下执行，设置thread的状态为BINDER_LOOPER_STATE_WAITING，表示线程处于等待状态。调用binder_set_nice函数设置当前线程的优先级别为proc->default_priority，这是因为thread要去处理属于proc的事务，因此要将此thread的优先级别设置和proc一样。在这个场景中，proc也没有事务处理，即binder_has_proc_work(proc, thread)为false。如果文件打开模式为非阻塞模式，即non_block为true，那么函数就直接返回-EAGAIN，要求用户重新执行ioctl；否则的话，就通过当前线程就通过wait_event_interruptible_exclusive函数进入休眠状态，等待请求到来再唤醒了。

至此，我们就从源代码一步一步地分析完Service Manager是如何成为Android进程间通信（IPC）机制Binder守护进程的了。总结一下，Service Manager是成为Android进程间通信（IPC）机制Binder守护进程的过程是这样的：

1. 打开/dev/binder文件：open("/dev/binder", O_RDWR);

2. 建立128K内存映射：mmap(NULL, mapsize, PROT_READ, MAP_PRIVATE, bs->fd, 0);

3. 通知Binder驱动程序它是守护进程：binder_become_context_manager(bs);

4. 进入循环等待请求的到来：binder_loop(bs, svcmgr_handler);

在这个过程中，在Binder驱动程序中建立了一个struct binder_proc结构、一个struct binder_thread结构和一个struct binder_node结构，这样，Service Manager就在Android系统的进程间通信机制Binder担负起守护进程的职责了

浅谈Android系统进程间通信（IPC）机制Binder中的Server和Client获得Service Manager接口之路

分类： Android 2011-07-23 12:16 11467人阅读评论(15) 收藏举报在前面一篇文章浅谈Service Manager成为Android进程间通信（IPC）机制Binder守护进程之路中，介绍了Service Manager是如何成为Binder机制的守护进程的。既然作为守护进程，Service Manager的职责当然就是为Server和Client服务了。那么，Server和Client如何获得Service Manager接口，进而享受它提供的服务呢？本文将简要分析Server和Client获得Service Manager的过程。

在阅读本文之前，希望读者先阅读Android进程间通信（IPC）机制Binder简要介绍和学习计划一文提到的参考资料Android深入浅出之Binder机制，这样可以加深对本文的理解。

我们知道，Service Manager在Binder机制中既充当守护进程的角色，同时它也充当着Server角色，然而它又与一般的Server不一样。对于普通的Server来说，Client如果想要获得Server的远程接口，那么必须通过Service Manager远程接口提供的getService接口来获得，这本身就是一个使用Binder机制来进行进程间通信的过程。而对于Service Manager这个Server来说，Client如果想要获得Service Manager远程接口，却不必通过进程间通信机制来获得，因为Service Manager远程接口是一个特殊的Binder引用，它的引用句柄一定是0。

获取Service Manager远程接口的函数是defaultServiceManager，这个函数声明在frameworks/base/include/binder/IServiceManager.h文件中：

[cpp] view plain copy print ?

sp<IServiceManager>defaultServiceManager();

sp<IServiceManager> defaultServiceManager();

实现在frameworks/base/libs/binder/IServiceManager.cpp文件中：

[cpp] view plain copy print ?

sp<IServiceManager>defaultServiceManager()
{
if(gDefaultServiceManager!=NULL)returngDefaultServiceManager;
{
AutoMutex_l(gDefaultServiceManagerLock);
if(gDefaultServiceManager==NULL){
gDefaultServiceManager=interface_cast<IServiceManager>(
ProcessState::self()->getContextObject(NULL));
}
}
returngDefaultServiceManager;
}

sp<IServiceManager> defaultServiceManager(){    if (gDefaultServiceManager != NULL) return gDefaultServiceManager;    {        AutoMutex _l(gDefaultServiceManagerLock);        if (gDefaultServiceManager == NULL) {            gDefaultServiceManager = interface_cast<IServiceManager>(                ProcessState::self()->getContextObject(NULL));        }    }    return gDefaultServiceManager;}

gDefaultServiceManagerLock和gDefaultServiceManager是全局变量，定义在frameworks/base/libs/binder/Static.cpp文件中：

[cpp] view plain copy print ?

MutexgDefaultServiceManagerLock;
sp<IServiceManager>gDefaultServiceManager;

Mutex gDefaultServiceManagerLock;sp<IServiceManager> gDefaultServiceManager;

从这个函数可以看出，gDefaultServiceManager是单例模式，调用defaultServiceManager函数时，如果gDefaultServiceManager已经创建，则直接返回，否则通过interface_cast<IServiceManager>(ProcessState::self()->getContextObject(NULL))来创建一个，并保存在gDefaultServiceManager全局变量中。

在继续介绍interface_cast<IServiceManager>(ProcessState::self()->getContextObject(NULL))的实现之前，先来看一个类图，这能够帮助我们了解Service Manager远程接口的创建过程。

参考资料Android深入浅出之Binder机制一文的读者，应该会比较容易理解这个图。这个图表明了，BpServiceManager类继承了BpInterface<IServiceManager>类，BpInterface是一个模板类，它定义在frameworks/base/include/binder/IInterface.h文件中：

[cpp] view plain copy print ?

template<typenameINTERFACE>
classBpInterface:publicINTERFACE,publicBpRefBase
{
public:
BpInterface(constsp<IBinder>&remote);
protected:
virtualIBinder*onAsBinder();
};

template<typename INTERFACE>class BpInterface : public INTERFACE, public BpRefBase{public:BpInterface(const sp<IBinder>& remote);protected:virtual IBinder* onAsBinder();};

IServiceManager类继承了IInterface类，而IInterface类和BpRefBase类又分别继承了RefBase类。在BpRefBase类中，有一个成员变量mRemote，它的类型是IBinder*，实现类为BpBinder，它表示一个Binder引用，引用句柄值保存在BpBinder类的mHandle成员变量中。BpBinder类通过IPCThreadState类来和Binder驱动程序并互，而IPCThreadState又通过它的成员变量mProcess来打开/dev/binder设备文件，mProcess成员变量的类型为ProcessState。ProcessState类打开设备/dev/binder之后，将打开文件描述符保存在mDriverFD成员变量中，以供后续使用。

理解了这些概念之后，就可以继续分析创建Service Manager远程接口的过程了，最终目的是要创建一个BpServiceManager实例，并且返回它的IServiceManager接口。创建Service Manager远程接口主要是下面语句：

[cpp] view plain copy print ?

gDefaultServiceManager=interface_cast<IServiceManager>(
ProcessState::self()->getContextObject(NULL));

            gDefaultServiceManager = interface_cast<IServiceManager>(                ProcessState::self()->getContextObject(NULL));

看起来简短，却暗藏玄机，具体可阅读 Android深入浅出之Binder机制这篇参考资料，这里作简要描述。

首先是调用ProcessState::self函数，self函数是ProcessState的静态成员函数，它的作用是返回一个全局唯一的ProcessState实例变量，就是单例模式了，这个变量名为gProcess。如果gProcess尚未创建，就会执行创建操作，在ProcessState的构造函数中，会通过open文件操作函数打开设备文件/dev/binder，并且返回来的设备文件描述符保存在成员变量mDriverFD中。

接着调用gProcess->getContextObject函数来获得一个句柄值为0的Binder引用，即BpBinder了，于是创建Service Manager远程接口的语句可以简化为：

[cpp] view plain copy print ?

gDefaultServiceManager=interface_cast<IServiceManager>(newBpBinder(0));

            gDefaultServiceManager = interface_cast<IServiceManager>(new BpBinder(0));

再来看函数interface_cast<IServiceManager>的实现，它是一个模板函数，定义在framework/base/include/binder/IInterface.h文件中：

[cpp] view plain copy print ?

template<typenameINTERFACE>
inlinesp<INTERFACE>interface_cast(constsp<IBinder>&obj)
{
returnINTERFACE::asInterface(obj);
}

template<typename INTERFACE>inline sp<INTERFACE> interface_cast(const sp<IBinder>& obj){    return INTERFACE::asInterface(obj);}

这里的INTERFACE是IServiceManager，于是调用了IServiceManager::asInterface函数。IServiceManager::asInterface是通过DECLARE_META_INTERFACE(ServiceManager)宏在IServiceManager类中声明的，它位于framework/base/include/binder/IServiceManager.h文件中：

[cpp] view plain copy print ?

DECLARE_META_INTERFACE(ServiceManager);

DECLARE_META_INTERFACE(ServiceManager);

展开即为：

[cpp] view plain copy print ?

#defineDECLARE_META_INTERFACE(ServiceManager)\
staticconstandroid::String16descriptor;\
staticandroid::sp<IServiceManager>asInterface(\
constandroid::sp<android::IBinder>&obj);\
virtualconstandroid::String16&getInterfaceDescriptor()const;\
IServiceManager();\
virtual~IServiceManager();

#define DECLARE_META_INTERFACE(ServiceManager)                              \static const android::String16 descriptor;                          \static android::sp<IServiceManager> asInterface(                    \const android::sp<android::IBinder>& obj);                          \virtual const android::String16& getInterfaceDescriptor() const;    \IServiceManager();                                                  \virtual ~IServiceManager();

IServiceManager::asInterface的实现是通过IMPLEMENT_META_INTERFACE(ServiceManager, "android.os.IServiceManager")宏定义的，它位于framework/base/libs/binder/IServiceManager.cpp文件中：

[cpp] view plain copy print ?

IMPLEMENT_META_INTERFACE(ServiceManager,"android.os.IServiceManager");

IMPLEMENT_META_INTERFACE(ServiceManager, "android.os.IServiceManager");

展开即为：

[cpp] view plain copy print ?

#defineIMPLEMENT_META_INTERFACE(ServiceManager,"android.os.IServiceManager")\
constandroid::String16IServiceManager::descriptor("android.os.IServiceManager");\
constandroid::String16&\
IServiceManager::getInterfaceDescriptor()const{\
returnIServiceManager::descriptor;\
}\
android::sp<IServiceManager>IServiceManager::asInterface(\
constandroid::sp<android::IBinder>&obj)\
{\
android::sp<IServiceManager>intr;\
if(obj!=NULL){\
intr=static_cast<IServiceManager*>(\
obj->queryLocalInterface(\
IServiceManager::descriptor).get());\
if(intr==NULL){\
intr=newBpServiceManager(obj);\
}\
}\
returnintr;\
}\
IServiceManager::IServiceManager(){}\
IServiceManager::~IServiceManager(){}

#define IMPLEMENT_META_INTERFACE(ServiceManager, "android.os.IServiceManager")                 \const android::String16 IServiceManager::descriptor("android.os.IServiceManager");     \const android::String16&       \IServiceManager::getInterfaceDescriptor() const {                                      \return IServiceManager::descriptor;                                                    \}                                                                                      \android::sp<IServiceManager> IServiceManager::asInterface(                             \const android::sp<android::IBinder>& obj)                                              \{                                                                                      \android::sp<IServiceManager> intr;                                                     \if (obj != NULL) {                                                                     \intr = static_cast<IServiceManager*>(                                                  \obj->queryLocalInterface(                                                              \IServiceManager::descriptor).get());                                                   \if (intr == NULL) {                                                                    \intr = new BpServiceManager(obj);                                                      \}                                                                                      \}                                                                                      \return intr;                                                                           \}                                                                                      \IServiceManager::IServiceManager() { }                                                 \IServiceManager::~IServiceManager() { }

估计写这段代码的员工是从Microsoft跳槽到Google的。这里我们关注IServiceManager::asInterface的实现：

[cpp] view plain copy print ?

android::sp<IServiceManager>IServiceManager::asInterface(constandroid::sp<android::IBinder>&obj)
{
android::sp<IServiceManager>intr;
if(obj!=NULL){
intr=static_cast<IServiceManager*>(
obj->queryLocalInterface(IServiceManager::descriptor).get());
if(intr==NULL){
intr=newBpServiceManager(obj);
}
｝
returnintr;
}

android::sp<IServiceManager> IServiceManager::asInterface(const android::sp<android::IBinder>& obj)                                              {                                                                                     android::sp<IServiceManager> intr;                                                    if (obj != NULL) {                                                                     intr = static_cast<IServiceManager*>(                                                                      obj->queryLocalInterface(IServiceManager::descriptor).get());if (intr == NULL) {                intr = new BpServiceManager(obj);                                        }                                          ｝return intr;                                  }

这里传进来的参数obj就则刚才创建的new BpBinder(0)了，BpBinder类中的成员函数queryLocalInterface继承自基类IBinder，IBinder::queryLocalInterface函数位于framework/base/libs/binder/Binder.cpp文件中：

[cpp] view plain copy print ?

sp<IInterface>IBinder::queryLocalInterface(constString16&descriptor)
{
returnNULL;
}

sp<IInterface>  IBinder::queryLocalInterface(const String16& descriptor){    return NULL;}

由此可见，在IServiceManager::asInterface函数中，最终会调用下面语句：

[cpp] view plain copy print ?

intr=newBpServiceManager(obj);

intr = new BpServiceManager(obj);

即为：

[cpp] view plain copy print ?

intr=newBpServiceManager(newBpBinder(0));

intr = new BpServiceManager(new BpBinder(0));

回到defaultServiceManager函数中，最终结果为：

[cpp] view plain copy print ?

gDefaultServiceManager=newBpServiceManager(newBpBinder(0));

gDefaultServiceManager = new BpServiceManager(new BpBinder(0));

这样，Service Manager远程接口就创建完成了，它本质上是一个BpServiceManager，包含了一个句柄值为0的Binder引用。

在Android系统的Binder机制中，Server和Client拿到这个Service Manager远程接口之后怎么用呢？

对Server来说，就是调用IServiceManager::addService这个接口来和Binder驱动程序交互了，即调用BpServiceManager::addService 。而BpServiceManager::addService又会调用通过其基类BpRefBase的成员函数remote获得原先创建的BpBinder实例，接着调用BpBinder::transact成员函数。在BpBinder::transact函数中，又会调用IPCThreadState::transact成员函数，这里就是最终与Binder驱动程序交互的地方了。回忆一下前面的类图，IPCThreadState有一个PorcessState类型的成中变量mProcess，而mProcess有一个成员变量mDriverFD，它是设备文件/dev/binder的打开文件描述符，因此，IPCThreadState就相当于间接在拥有了设备文件/dev/binder的打开文件描述符，于是，便可以与Binder驱动程序交互了。

对Client来说，就是调用IServiceManager::getService这个接口来和Binder驱动程序交互了。具体过程上述Server使用Service Manager的方法是一样的，这里就不再累述了。

IServiceManager::addService和IServiceManager::getService这两个函数的具体实现，在下面两篇文章中，会深入到Binder驱动程序这一层，进行详细的源代码分析，以便更好地理解Binder进程间通信机制，敬请关注。

Android系统进程间通信（IPC）机制Binder中的Server启动过程源代码分析

分类： Android 2011-07-25 02:43 14451人阅读评论(52) 收藏举报

在前面一篇文章浅谈Android系统进程间通信（IPC）机制Binder中的Server和Client获得Service Manager接口之路中，介绍了在Android系统中Binder进程间通信机制中的Server角色是如何获得Service Manager远程接口的，即defaultServiceManager函数的实现。Server获得了Service Manager远程接口之后，就要把自己的Service添加到Service Manager中去，然后把自己启动起来，等待Client的请求。本文将通过分析源代码了解Server的启动过程是怎么样的。

本文通过一个具体的例子来说明Binder机制中Server的启动过程。我们知道，在Android系统中，提供了多媒体播放的功能，这个功能是以服务的形式来提供的。这里，我们就通过分析MediaPlayerService的实现来了解Media Server的启动过程。

首先，看一下MediaPlayerService的类图，以便我们理解下面要描述的内容。

我们将要介绍的主角MediaPlayerService继承于BnMediaPlayerService类，熟悉Binder机制的同学应该知道BnMediaPlayerService是一个Binder Native类，用来处理Client请求的。BnMediaPlayerService继承于BnInterface<IMediaPlayerService>类，BnInterface是一个模板类，它定义在frameworks/base/include/binder/IInterface.h文件中：

[cpp] view plain copy print ?

template<typenameINTERFACE>
classBnInterface:publicINTERFACE,publicBBinder
{
public:
virtualsp<IInterface>queryLocalInterface(constString16&_descriptor);
virtualconstString16&getInterfaceDescriptor()const;
protected:
virtualIBinder*onAsBinder();
};

template<typename INTERFACE>class BnInterface : public INTERFACE, public BBinder{public:    virtual sp<IInterface>      queryLocalInterface(const String16& _descriptor);    virtual const String16&     getInterfaceDescriptor() const;protected:    virtual IBinder*            onAsBinder();};

这里可以看出，BnMediaPlayerService实际是继承了IMediaPlayerService和BBinder类。IMediaPlayerService和BBinder类又分别继承了IInterface和IBinder类，IInterface和IBinder类又同时继承了RefBase类。

实际上，BnMediaPlayerService并不是直接接收到Client处发送过来的请求，而是使用了IPCThreadState接收Client处发送过来的请求，而IPCThreadState又借助了ProcessState类来与Binder驱动程序交互。有关IPCThreadState和ProcessState的关系，可以参考上一篇文章浅谈Android系统进程间通信（IPC）机制Binder中的Server和Client获得Service Manager接口之路，接下来也会有相应的描述。IPCThreadState接收到了Client处的请求后，就会调用BBinder类的transact函数，并传入相关参数，BBinder类的transact函数最终调用BnMediaPlayerService类的onTransact函数，于是，就开始真正地处理Client的请求了。

了解了MediaPlayerService类结构之后，就要开始进入到本文的主题了。

首先，看看MediaPlayerService是如何启动的。启动MediaPlayerService的代码位于frameworks/base/media/mediaserver/main_mediaserver.cpp文件中：

[cpp] view plain copy print ?

intmain(intargc,char**argv)
{
sp<ProcessState>proc(ProcessState::self());
sp<IServiceManager>sm=defaultServiceManager();
LOGI("ServiceManager:%p",sm.get());
AudioFlinger::instantiate();
MediaPlayerService::instantiate();
CameraService::instantiate();
AudioPolicyService::instantiate();
ProcessState::self()->startThreadPool();
IPCThreadState::self()->joinThreadPool();
}

int main(int argc, char** argv){    sp<ProcessState> proc(ProcessState::self());    sp<IServiceManager> sm = defaultServiceManager();    LOGI("ServiceManager: %p", sm.get());    AudioFlinger::instantiate();    MediaPlayerService::instantiate();    CameraService::instantiate();    AudioPolicyService::instantiate();    ProcessState::self()->startThreadPool();    IPCThreadState::self()->joinThreadPool();}

这里我们不关注AudioFlinger和CameraService相关的代码。

先看下面这句代码：

[cpp] view plain copy print ?

sp<ProcessState>proc(ProcessState::self());

   sp<ProcessState> proc(ProcessState::self());

这句代码的作用是通过ProcessState::self()调用创建一个ProcessState实例。ProcessState::self()是ProcessState类的一个静态成员变量，定义在frameworks/base/libs/binder/ProcessState.cpp文件中：

[cpp] view plain copy print ?

sp<ProcessState>ProcessState::self()
{
if(gProcess!=NULL)returngProcess;
AutoMutex_l(gProcessMutex);
if(gProcess==NULL)gProcess=newProcessState;
returngProcess;
}

sp<ProcessState> ProcessState::self(){    if (gProcess != NULL) return gProcess;        AutoMutex _l(gProcessMutex);    if (gProcess == NULL) gProcess = new ProcessState;    return gProcess;}

这里可以看出，这个函数作用是返回一个全局唯一的ProcessState实例gProcess。全局唯一实例变量gProcess定义在frameworks/base/libs/binder/Static.cpp文件中：

[cpp] view plain copy print ?

MutexgProcessMutex;
sp<ProcessState>gProcess;

Mutex gProcessMutex;sp<ProcessState> gProcess;

再来看ProcessState的构造函数：

[cpp] view plain copy print ?

ProcessState::ProcessState()
:mDriverFD(open_driver())
,mVMStart(MAP_FAILED)
,mManagesContexts(false)
,mBinderContextCheckFunc(NULL)
,mBinderContextUserData(NULL)
,mThreadPoolStarted(false)
,mThreadPoolSeq(1)
{
if(mDriverFD>=0){
//XXXIdeally,thereshouldbeaspecificdefineforwhetherwe
//havemmap(orwhetherwecouldpossiblyhavethekernelmodule
//availabla).
#if!defined(HAVE_WIN32_IPC)
//mmapthebinder,providingachunkofvirtualaddressspacetoreceivetransactions.
mVMStart=mmap(0,BINDER_VM_SIZE,PROT_READ,MAP_PRIVATE|MAP_NORESERVE,mDriverFD,0);
if(mVMStart==MAP_FAILED){
//*sigh*
LOGE("Using/dev/binderfailed:unabletommaptransactionmemory.\n");
close(mDriverFD);
mDriverFD=-1;
}
#else
mDriverFD=-1;
#endif
}
if(mDriverFD<0){
//Needtorunwithoutthedriver,startingourownthreadpool.
}
}

ProcessState::ProcessState()    : mDriverFD(open_driver())    , mVMStart(MAP_FAILED)    , mManagesContexts(false)    , mBinderContextCheckFunc(NULL)    , mBinderContextUserData(NULL)    , mThreadPoolStarted(false)    , mThreadPoolSeq(1){    if (mDriverFD >= 0) {        // XXX Ideally, there should be a specific define for whether we        // have mmap (or whether we could possibly have the kernel module        // availabla).#if !defined(HAVE_WIN32_IPC)        // mmap the binder, providing a chunk of virtual address space to receive transactions.        mVMStart = mmap(0, BINDER_VM_SIZE, PROT_READ, MAP_PRIVATE | MAP_NORESERVE, mDriverFD, 0);        if (mVMStart == MAP_FAILED) {            // *sigh*            LOGE("Using /dev/binder failed: unable to mmap transaction memory.\n");            close(mDriverFD);            mDriverFD = -1;        }#else        mDriverFD = -1;#endif    }    if (mDriverFD < 0) {        // Need to run without the driver, starting our own thread pool.    }}

这个函数有两个关键地方，一是通过open_driver函数打开Binder设备文件/dev/binder，并将打开设备文件描述符保存在成员变量mDriverFD中；二是通过mmap来把设备文件/dev/binder映射到内存中。

先看open_driver函数的实现，这个函数同样位于frameworks/base/libs/binder/ProcessState.cpp文件中：

[cpp] view plain copy print ?

staticintopen_driver()
{
if(gSingleProcess){
return-1;
}
intfd=open("/dev/binder",O_RDWR);
if(fd>=0){
fcntl(fd,F_SETFD,FD_CLOEXEC);
intvers;
#ifdefined(HAVE_ANDROID_OS)
status_tresult=ioctl(fd,BINDER_VERSION,&vers);
#else
status_tresult=-1;
errno=EPERM;
#endif
if(result==-1){
LOGE("Binderioctltoobtainversionfailed:%s",strerror(errno));
close(fd);
fd=-1;
}
if(result!=0||vers!=BINDER_CURRENT_PROTOCOL_VERSION){
LOGE("Binderdriverprotocoldoesnotmatchuserspaceprotocol!");
close(fd);
fd=-1;
}
#ifdefined(HAVE_ANDROID_OS)
size_tmaxThreads=15;
result=ioctl(fd,BINDER_SET_MAX_THREADS,&maxThreads);
if(result==-1){
LOGE("Binderioctltosetmaxthreadsfailed:%s",strerror(errno));
}
#endif
}else{
LOGW("Opening'/dev/binder'failed:%s\n",strerror(errno));
}
returnfd;
}

static int open_driver(){    if (gSingleProcess) {        return -1;    }    int fd = open("/dev/binder", O_RDWR);    if (fd >= 0) {        fcntl(fd, F_SETFD, FD_CLOEXEC);        int vers;#if defined(HAVE_ANDROID_OS)        status_t result = ioctl(fd, BINDER_VERSION, &vers);#else        status_t result = -1;        errno = EPERM;#endif        if (result == -1) {            LOGE("Binder ioctl to obtain version failed: %s", strerror(errno));            close(fd);            fd = -1;        }        if (result != 0 || vers != BINDER_CURRENT_PROTOCOL_VERSION) {            LOGE("Binder driver protocol does not match user space protocol!");            close(fd);            fd = -1;        }#if defined(HAVE_ANDROID_OS)        size_t maxThreads = 15;        result = ioctl(fd, BINDER_SET_MAX_THREADS, &maxThreads);        if (result == -1) {            LOGE("Binder ioctl to set max threads failed: %s", strerror(errno));        }#endif            } else {        LOGW("Opening '/dev/binder' failed: %s\n", strerror(errno));    }    return fd;}

这个函数的作用主要是通过open文件操作函数来打开/dev/binder设备文件，然后再调用ioctl文件控制函数来分别执行BINDER_VERSION和BINDER_SET_MAX_THREADS两个命令来和Binder驱动程序进行交互，前者用于获得当前Binder驱动程序的版本号，后者用于通知Binder驱动程序，MediaPlayerService最多可同时启动15个线程来处理Client端的请求。

open在Binder驱动程序中的具体实现，请参考前面一篇文章浅谈Service Manager成为Android进程间通信（IPC）机制Binder守护进程之路，这里不再重复描述。打开/dev/binder设备文件后，Binder驱动程序就为MediaPlayerService进程创建了一个struct binder_proc结构体实例来维护MediaPlayerService进程上下文相关信息。

我们来看一下ioctl文件操作函数执行BINDER_VERSION命令的过程：

[cpp] view plain copy print ?

status_tresult=ioctl(fd,BINDER_VERSION,&vers);

status_t result = ioctl(fd, BINDER_VERSION, &vers);

这个函数调用最终进入到Binder驱动程序的binder_ioctl函数中，我们只关注BINDER_VERSION相关的部分逻辑：

[cpp] view plain copy print ?

staticlongbinder_ioctl(structfile*filp,unsignedintcmd,unsignedlongarg)
{
intret;
structbinder_proc*proc=filp->private_data;
structbinder_thread*thread;
unsignedintsize=_IOC_SIZE(cmd);
void__user*ubuf=(void__user*)arg;
/*printk(KERN_INFO"binder_ioctl:%d:%d%x%lx\n",proc->pid,current->pid,cmd,arg);*/
ret=wait_event_interruptible(binder_user_error_wait,binder_stop_on_user_error<2);
if(ret)
returnret;
mutex_lock(&binder_lock);
thread=binder_get_thread(proc);
if(thread==NULL){
ret=-ENOMEM;
gotoerr;
}
switch(cmd){
......
caseBINDER_VERSION:
if(size!=sizeof(structbinder_version)){
ret=-EINVAL;
gotoerr;
}
if(put_user(BINDER_CURRENT_PROTOCOL_VERSION,&((structbinder_version*)ubuf)->protocol_version)){
ret=-EINVAL;
gotoerr;
}
break;
......
}
ret=0;
err:
......
returnret;
}

static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg){int ret;struct binder_proc *proc = filp->private_data;struct binder_thread *thread;unsigned int size = _IOC_SIZE(cmd);void __user *ubuf = (void __user *)arg;/*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);if (ret)return ret;mutex_lock(&binder_lock);thread = binder_get_thread(proc);if (thread == NULL) {ret = -ENOMEM;goto err;}switch (cmd) {......case BINDER_VERSION:if (size != sizeof(struct binder_version)) {ret = -EINVAL;goto err;}if (put_user(BINDER_CURRENT_PROTOCOL_VERSION, &((struct binder_version *)ubuf)->protocol_version)) {ret = -EINVAL;goto err;}break;......}ret = 0;err:        ......return ret;}

很简单，只是将BINDER_CURRENT_PROTOCOL_VERSION写入到传入的参数arg指向的用户缓冲区中去就返回了。BINDER_CURRENT_PROTOCOL_VERSION是一个宏，定义在kernel/common/drivers/staging/android/binder.h文件中：

[cpp] view plain copy print ?

/*Thisisthecurrentprotocolversion.*/
#defineBINDER_CURRENT_PROTOCOL_VERSION7

/* This is the current protocol version. */#define BINDER_CURRENT_PROTOCOL_VERSION 7

这里为什么要把ubuf转换成struct binder_version之后，再通过其protocol_version成员变量再来写入呢，转了一圈，最终内容还是写入到ubuf中。我们看一下struct binder_version的定义就会明白，同样是在kernel/common/drivers/staging/android/binder.h文件中：

[cpp] view plain copy print ?

/*UsewithBINDER_VERSION,driverfillsinfields.*/
structbinder_version{
/*driverprotocolversion--incrementwithincompatiblechange*/
signedlongprotocol_version;
};

/* Use with BINDER_VERSION, driver fills in fields. */struct binder_version {/* driver protocol version -- increment with incompatible change */signed longprotocol_version;};

从注释中可以看出来，这里是考虑到兼容性，因为以后很有可能不是用signed long来表示版本号。

这里有一个重要的地方要注意的是，由于这里是打开设备文件/dev/binder之后，第一次进入到binder_ioctl函数，因此，这里调用binder_get_thread的时候，就会为当前线程创建一个struct binder_thread结构体变量来维护线程上下文信息，具体可以参考浅谈Service Manager成为Android进程间通信（IPC）机制Binder守护进程之路一文。

接着我们再来看一下ioctl文件操作函数执行BINDER_SET_MAX_THREADS命令的过程：

[cpp] view plain copy print ?

result=ioctl(fd,BINDER_SET_MAX_THREADS,&maxThreads);

result = ioctl(fd, BINDER_SET_MAX_THREADS, &maxThreads);

这个函数调用最终进入到Binder驱动程序的binder_ioctl函数中，我们只关注BINDER_SET_MAX_THREADS相关的部分逻辑：

[cpp] view plain copy print ?

staticlongbinder_ioctl(structfile*filp,unsignedintcmd,unsignedlongarg)
{
intret;
structbinder_proc*proc=filp->private_data;
structbinder_thread*thread;
unsignedintsize=_IOC_SIZE(cmd);
void__user*ubuf=(void__user*)arg;
/*printk(KERN_INFO"binder_ioctl:%d:%d%x%lx\n",proc->pid,current->pid,cmd,arg);*/
ret=wait_event_interruptible(binder_user_error_wait,binder_stop_on_user_error<2);
if(ret)
returnret;
mutex_lock(&binder_lock);
thread=binder_get_thread(proc);
if(thread==NULL){
ret=-ENOMEM;
gotoerr;
}
switch(cmd){
......
caseBINDER_SET_MAX_THREADS:
if(copy_from_user(&proc->max_threads,ubuf,sizeof(proc->max_threads))){
ret=-EINVAL;
gotoerr;
}
break;
......
}
ret=0;
err:
......
returnret;
}

static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg){int ret;struct binder_proc *proc = filp->private_data;struct binder_thread *thread;unsigned int size = _IOC_SIZE(cmd);void __user *ubuf = (void __user *)arg;/*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);if (ret)return ret;mutex_lock(&binder_lock);thread = binder_get_thread(proc);if (thread == NULL) {ret = -ENOMEM;goto err;}switch (cmd) {......case BINDER_SET_MAX_THREADS:if (copy_from_user(&proc->max_threads, ubuf, sizeof(proc->max_threads))) {ret = -EINVAL;goto err;}break;......}ret = 0;err:......return ret;}

这里实现也是非常简单，只是简单地把用户传进来的参数保存在proc->max_threads中就完毕了。注意，这里再调用binder_get_thread函数的时候，就可以在proc->threads中找到当前线程对应的struct binder_thread结构了，因为前面已经创建好并保存在proc->threads红黑树中。

回到ProcessState的构造函数中，这里还通过mmap函数来把设备文件/dev/binder映射到内存中，这个函数在浅谈Service Manager成为Android进程间通信（IPC）机制Binder守护进程之路一文也已经有详细介绍，这里不再重复描述。宏BINDER_VM_SIZE就定义在ProcessState.cpp文件中：

[cpp] view plain copy print ?

#defineBINDER_VM_SIZE((1*1024*1024)-(4096*2))

#define BINDER_VM_SIZE ((1*1024*1024) - (4096 *2))

mmap函数调用完成之后，Binder驱动程序就为当前进程预留了BINDER_VM_SIZE大小的内存空间了。

这样，ProcessState全局唯一变量gProcess就创建完毕了，回到frameworks/base/media/mediaserver/main_mediaserver.cpp文件中的main函数，下一步是调用defaultServiceManager函数来获得Service Manager的远程接口，这个已经在上一篇文章浅谈Android系统进程间通信（IPC）机制Binder中的Server和Client获得Service Manager接口之路有详细描述，读者可以回过头去参考一下。

再接下来，就进入到MediaPlayerService::instantiate函数把MediaPlayerService添加到Service Manger中去了。这个函数定义在frameworks/base/media/libmediaplayerservice/MediaPlayerService.cpp文件中：

[cpp] view plain copy print ?

voidMediaPlayerService::instantiate(){
defaultServiceManager()->addService(
String16("media.player"),newMediaPlayerService());
}

void MediaPlayerService::instantiate() {    defaultServiceManager()->addService(            String16("media.player"), new MediaPlayerService());}

我们重点看一下IServiceManger::addService的过程，这有助于我们加深对Binder机制的理解。

在上一篇文章浅谈Android系统进程间通信（IPC）机制Binder中的Server和Client获得Service Manager接口之路中说到，defaultServiceManager返回的实际是一个BpServiceManger类实例，因此，我们看一下BpServiceManger::addService的实现，这个函数实现在frameworks/base/libs/binder/IServiceManager.cpp文件中：

[cpp] view plain copy print ?

classBpServiceManager:publicBpInterface<IServiceManager>
{
public:
BpServiceManager(constsp<IBinder>&impl)
:BpInterface<IServiceManager>(impl)
{
}
......
virtualstatus_taddService(constString16&name,constsp<IBinder>&service)
{
Parceldata,reply;
data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor());
data.writeString16(name);
data.writeStrongBinder(service);
status_terr=remote()->transact(ADD_SERVICE_TRANSACTION,data,&reply);
returnerr==NO_ERROR?reply.readExceptionCode()
}
......
};

class BpServiceManager : public BpInterface<IServiceManager>{public:BpServiceManager(const sp<IBinder>& impl): BpInterface<IServiceManager>(impl){}......virtual status_t addService(const String16& name, const sp<IBinder>& service){Parcel data, reply;data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor());data.writeString16(name);data.writeStrongBinder(service);status_t err = remote()->transact(ADD_SERVICE_TRANSACTION, data, &reply);return err == NO_ERROR ? reply.readExceptionCode() }......};

这里的Parcel类是用来于序列化进程间通信数据用的。

先来看这一句的调用：

[cpp] view plain copy print ?

data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor());

data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor());

IServiceManager::getInterfaceDescriptor()返回来的是一个字符串，即"android.os.IServiceManager"，具体可以参考IServiceManger的实现。我们看一下Parcel::writeInterfaceToken的实现，位于frameworks/base/libs/binder/Parcel.cpp文件中：

[cpp] view plain copy print ?

//WriteRPCheaders.(previouslyjusttheinterfacetoken)
status_tParcel::writeInterfaceToken(constString16&interface)
{
writeInt32(IPCThreadState::self()->getStrictModePolicy()|
STRICT_MODE_PENALTY_GATHER);
//currentlytheinterfaceidentificationtokenisjustitsnameasastring
returnwriteString16(interface);
}

// Write RPC headers.  (previously just the interface token)status_t Parcel::writeInterfaceToken(const String16& interface){    writeInt32(IPCThreadState::self()->getStrictModePolicy() |               STRICT_MODE_PENALTY_GATHER);    // currently the interface identification token is just its name as a string    return writeString16(interface);}

它的作用是写入一个整数和一个字符串到Parcel中去。

再来看下面的调用：

[cpp] view plain copy print ?

data.writeString16(name);

data.writeString16(name);

这里又是写入一个字符串到Parcel中去，这里的name即是上面传进来的“media.player”字符串。

往下看：

[cpp] view plain copy print ?

data.writeStrongBinder(service);

data.writeStrongBinder(service);

这里定入一个Binder对象到Parcel去。我们重点看一下这个函数的实现，因为它涉及到进程间传输Binder实体的问题，比较复杂，需要重点关注，同时，也是理解Binder机制的一个重点所在。注意，这里的service参数是一个MediaPlayerService对象。

[cpp] view plain copy print ?

status_tParcel::writeStrongBinder(constsp<IBinder>&val)
{
returnflatten_binder(ProcessState::self(),val,this);
}

status_t Parcel::writeStrongBinder(const sp<IBinder>& val){    return flatten_binder(ProcessState::self(), val, this);}

看到flatten_binder函数，是不是似曾相识的感觉？我们在前面一篇文章浅谈Service Manager成为Android进程间通信（IPC）机制Binder守护进程之路中，曾经提到在Binder驱动程序中，使用struct flat_binder_object来表示传输中的一个binder对象，它的定义如下所示：

[cpp] view plain copy print ?

/*
*ThisistheflattenedrepresentationofaBinderobjectfortransfer
*betweenprocesses.The'offsets'suppliedaspartofabindertransaction
*containsoffsetsintothedatawherethesestructuresoccur.TheBinder
*drivertakescareofre-writingthestructuretypeanddataasitmoves
*betweenprocesses.
*/
structflat_binder_object{
/*8bytesforlarge_flat_header.*/
unsignedlongtype;
unsignedlongflags;
/*8bytesofdata.*/
union{
void*binder;/*localobject*/
signedlonghandle;/*remoteobject*/
};
/*extradataassociatedwithlocalobject*/
void*cookie;
};

/* * This is the flattened representation of a Binder object for transfer * between processes.  The 'offsets' supplied as part of a binder transaction * contains offsets into the data where these structures occur.  The Binder * driver takes care of re-writing the structure type and data as it moves * between processes. */struct flat_binder_object {/* 8 bytes for large_flat_header. */unsigned longtype;unsigned longflags;/* 8 bytes of data. */union {void*binder;/* local object */signed longhandle;/* remote object */};/* extra data associated with local object */void*cookie;};

各个成员变量的含义请参考资料 Android Binder设计与实现。

我们进入到flatten_binder函数看看：

[cpp] view plain copy print ?

status_tflatten_binder(constsp<ProcessState>&proc,
constsp<IBinder>&binder,Parcel*out)
{
flat_binder_objectobj;
obj.flags=0x7f|FLAT_BINDER_FLAG_ACCEPTS_FDS;
if(binder!=NULL){
IBinder*local=binder->localBinder();
if(!local){
BpBinder*proxy=binder->remoteBinder();
if(proxy==NULL){
LOGE("nullproxy");
}
constint32_thandle=proxy?proxy->handle():0;
obj.type=BINDER_TYPE_HANDLE;
obj.handle=handle;
obj.cookie=NULL;
}else{
obj.type=BINDER_TYPE_BINDER;
obj.binder=local->getWeakRefs();
obj.cookie=local;
}
}else{
obj.type=BINDER_TYPE_BINDER;
obj.binder=NULL;
obj.cookie=NULL;
}
returnfinish_flatten_binder(binder,obj,out);
}

status_t flatten_binder(const sp<ProcessState>& proc,    const sp<IBinder>& binder, Parcel* out){    flat_binder_object obj;        obj.flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;    if (binder != NULL) {        IBinder *local = binder->localBinder();        if (!local) {            BpBinder *proxy = binder->remoteBinder();            if (proxy == NULL) {                LOGE("null proxy");            }            const int32_t handle = proxy ? proxy->handle() : 0;            obj.type = BINDER_TYPE_HANDLE;            obj.handle = handle;            obj.cookie = NULL;        } else {            obj.type = BINDER_TYPE_BINDER;            obj.binder = local->getWeakRefs();            obj.cookie = local;        }    } else {        obj.type = BINDER_TYPE_BINDER;        obj.binder = NULL;        obj.cookie = NULL;    }        return finish_flatten_binder(binder, obj, out);}

首先是初始化flat_binder_object的flags域：

[cpp] view plain copy print ?

obj.flags=0x7f|FLAT_BINDER_FLAG_ACCEPTS_FDS;

obj.flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;

0x7f表示处理本Binder实体请求数据包的线程的最低优先级，FLAT_BINDER_FLAG_ACCEPTS_FDS表示这个Binder实体可以接受文件描述符，Binder实体在收到文件描述符时，就会在本进程中打开这个文件。

传进来的binder即为MediaPlayerService::instantiate函数中new出来的MediaPlayerService实例，因此，不为空。又由于MediaPlayerService继承自BBinder类，它是一个本地Binder实体，因此binder->localBinder返回一个BBinder指针，而且肯定不为空，于是执行下面语句：

[cpp] view plain copy print ?

obj.type=BINDER_TYPE_BINDER;
obj.binder=local->getWeakRefs();
obj.cookie=local;

obj.type = BINDER_TYPE_BINDER;obj.binder = local->getWeakRefs();obj.cookie = local;

设置了flat_binder_obj的其他成员变量，注意，指向这个Binder实体地址的指针local保存在flat_binder_obj的成员变量cookie中。

函数调用finish_flatten_binder来将这个flat_binder_obj写入到Parcel中去：

[cpp] view plain copy print ?

inlinestaticstatus_tfinish_flatten_binder(
constsp<IBinder>&binder,constflat_binder_object&flat,Parcel*out)
{
returnout->writeObject(flat,false);
}

inline static status_t finish_flatten_binder(    const sp<IBinder>& binder, const flat_binder_object& flat, Parcel* out){    return out->writeObject(flat, false);}

Parcel::writeObject的实现如下：

[cpp] view plain copy print ?

status_tParcel::writeObject(constflat_binder_object&val,boolnullMetaData)
{
constboolenoughData=(mDataPos+sizeof(val))<=mDataCapacity;
constboolenoughObjects=mObjectsSize<mObjectsCapacity;
if(enoughData&&enoughObjects){
restart_write:
*reinterpret_cast<flat_binder_object*>(mData+mDataPos)=val;
//Needtowritemeta-data?
if(nullMetaData||val.binder!=NULL){
mObjects[mObjectsSize]=mDataPos;
acquire_object(ProcessState::self(),val,this);
mObjectsSize++;
}
//rememberifit'safiledescriptor
if(val.type==BINDER_TYPE_FD){
mHasFds=mFdsKnown=true;
}
returnfinishWrite(sizeof(flat_binder_object));
}
if(!enoughData){
conststatus_terr=growData(sizeof(val));
if(err!=NO_ERROR)returnerr;
}
if(!enoughObjects){
size_tnewSize=((mObjectsSize+2)*3)/2;
size_t*objects=(size_t*)realloc(mObjects,newSize*sizeof(size_t));
if(objects==NULL)returnNO_MEMORY;
mObjects=objects;
mObjectsCapacity=newSize;
}
gotorestart_write;
}

status_t Parcel::writeObject(const flat_binder_object& val, bool nullMetaData){    const bool enoughData = (mDataPos+sizeof(val)) <= mDataCapacity;    const bool enoughObjects = mObjectsSize < mObjectsCapacity;    if (enoughData && enoughObjects) {restart_write:        *reinterpret_cast<flat_binder_object*>(mData+mDataPos) = val;                // Need to write meta-data?        if (nullMetaData || val.binder != NULL) {            mObjects[mObjectsSize] = mDataPos;            acquire_object(ProcessState::self(), val, this);            mObjectsSize++;        }                // remember if it's a file descriptor        if (val.type == BINDER_TYPE_FD) {            mHasFds = mFdsKnown = true;        }        return finishWrite(sizeof(flat_binder_object));    }    if (!enoughData) {        const status_t err = growData(sizeof(val));        if (err != NO_ERROR) return err;    }    if (!enoughObjects) {        size_t newSize = ((mObjectsSize+2)*3)/2;        size_t* objects = (size_t*)realloc(mObjects, newSize*sizeof(size_t));        if (objects == NULL) return NO_MEMORY;        mObjects = objects;        mObjectsCapacity = newSize;    }        goto restart_write;}

这里除了把flat_binder_obj写到Parcel里面之内，还要记录这个flat_binder_obj在Parcel里面的偏移位置：

[cpp] view plain copy print ?

mObjects[mObjectsSize]=mDataPos;

mObjects[mObjectsSize] = mDataPos;

这里因为，如果进程间传输的数据间带有Binder对象的时候，Binder驱动程序需要作进一步的处理，以维护各个Binder实体的一致性，下面我们将会看到Binder驱动程序是怎么处理这些Binder对象的。

再回到BpServiceManager::addService函数中，调用下面语句：

[cpp] view plain copy print ?

status_terr=remote()->transact(ADD_SERVICE_TRANSACTION,data,&reply);

status_t err = remote()->transact(ADD_SERVICE_TRANSACTION, data, &reply);

回到浅谈Android系统进程间通信（IPC）机制Binder中的Server和Client获得Service Manager接口之路一文中的类图中去看一下，这里的remote成员函数来自于BpRefBase类，它返回一个BpBinder指针。因此，我们继续进入到BpBinder::transact函数中去看看：

[cpp] view plain copy print ?

status_tBpBinder::transact(
uint32_tcode,constParcel&data,Parcel*reply,uint32_tflags)
{
//Onceabinderhasdied,itwillnevercomebacktolife.
if(mAlive){
status_tstatus=IPCThreadState::self()->transact(
mHandle,code,data,reply,flags);
if(status==DEAD_OBJECT)mAlive=0;
returnstatus;
}
returnDEAD_OBJECT;
}

status_t BpBinder::transact(    uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags){    // Once a binder has died, it will never come back to life.    if (mAlive) {        status_t status = IPCThreadState::self()->transact(            mHandle, code, data, reply, flags);        if (status == DEAD_OBJECT) mAlive = 0;        return status;    }    return DEAD_OBJECT;}

这里又调用了IPCThreadState::transact进执行实际的操作。注意，这里的mHandle为0，code为ADD_SERVICE_TRANSACTION。ADD_SERVICE_TRANSACTION是上面以参数形式传进来的，那mHandle为什么是0呢？因为这里表示的是Service Manager远程接口，它的句柄值一定是0，具体请参考浅谈Android系统进程间通信（IPC）机制Binder中的Server和Client获得Service Manager接口之路一文。
再进入到IPCThreadState::transact函数，看看做了些什么事情：

[cpp] view plain copy print ?

status_tIPCThreadState::transact(int32_thandle,
uint32_tcode,constParcel&data,
Parcel*reply,uint32_tflags)
{
status_terr=data.errorCheck();
flags|=TF_ACCEPT_FDS;
IF_LOG_TRANSACTIONS(){
TextOutput::Bundle_b(alog);
alog<<"BC_TRANSACTIONthr"<<(void*)pthread_self()<<"/hand"
<<handle<<"/code"<<TypeCode(code)<<":"
<<indent<<data<<dedent<<endl;
}
if(err==NO_ERROR){
LOG_ONEWAY(">>>>SENDfrompid%duid%d%s",getpid(),getuid(),
(flags&TF_ONE_WAY)==0?"READREPLY":"ONEWAY");
err=writeTransactionData(BC_TRANSACTION,flags,handle,code,data,NULL);
}
if(err!=NO_ERROR){
if(reply)reply->setError(err);
return(mLastError=err);
}
if((flags&TF_ONE_WAY)==0){
#if0
if(code==4){//relayout
LOGI(">>>>>>CALLINGtransaction4");
}else{
LOGI(">>>>>>CALLINGtransaction%d",code);
}
#endif
if(reply){
err=waitForResponse(reply);
}else{
ParcelfakeReply;
err=waitForResponse(&fakeReply);
}
#if0
if(code==4){//relayout
LOGI("<<<<<<RETURNINGtransaction4");
}else{
LOGI("<<<<<<RETURNINGtransaction%d",code);
}
#endif
IF_LOG_TRANSACTIONS(){
TextOutput::Bundle_b(alog);
alog<<"BR_REPLYthr"<<(void*)pthread_self()<<"/hand"
<<handle<<":";
if(reply)alog<<indent<<*reply<<dedent<<endl;
elsealog<<"(nonerequested)"<<endl;
}
}else{
err=waitForResponse(NULL,NULL);
}
returnerr;
}

status_t IPCThreadState::transact(int32_t handle,                                  uint32_t code, const Parcel& data,                                  Parcel* reply, uint32_t flags){    status_t err = data.errorCheck();    flags |= TF_ACCEPT_FDS;    IF_LOG_TRANSACTIONS() {        TextOutput::Bundle _b(alog);        alog << "BC_TRANSACTION thr " << (void*)pthread_self() << " / hand "            << handle << " / code " << TypeCode(code) << ": "            << indent << data << dedent << endl;    }        if (err == NO_ERROR) {        LOG_ONEWAY(">>>> SEND from pid %d uid %d %s", getpid(), getuid(),            (flags & TF_ONE_WAY) == 0 ? "READ REPLY" : "ONE WAY");        err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL);    }        if (err != NO_ERROR) {        if (reply) reply->setError(err);        return (mLastError = err);    }        if ((flags & TF_ONE_WAY) == 0) {        #if 0        if (code == 4) { // relayout            LOGI(">>>>>> CALLING transaction 4");        } else {            LOGI(">>>>>> CALLING transaction %d", code);        }        #endif        if (reply) {            err = waitForResponse(reply);        } else {            Parcel fakeReply;            err = waitForResponse(&fakeReply);        }        #if 0        if (code == 4) { // relayout            LOGI("<<<<<< RETURNING transaction 4");        } else {            LOGI("<<<<<< RETURNING transaction %d", code);        }        #endif                IF_LOG_TRANSACTIONS() {            TextOutput::Bundle _b(alog);            alog << "BR_REPLY thr " << (void*)pthread_self() << " / hand "                << handle << ": ";            if (reply) alog << indent << *reply << dedent << endl;            else alog << "(none requested)" << endl;        }    } else {        err = waitForResponse(NULL, NULL);    }        return err;}

IPCThreadState::transact函数的参数flags是一个默认值为0的参数，上面没有传相应的实参进来，因此，这里就为0。

函数首先调用writeTransactionData函数准备好一个structbinder_transaction_data结构体变量，这个是等一下要传输给Binder驱动程序的。structbinder_transaction_data的定义我们在浅谈Service Manager成为Android进程间通信（IPC）机制Binder守护进程之路一文中有详细描述，读者不妨回过去读一下。这里为了方便描述，将structbinder_transaction_data的定义再次列出来：

[cpp] view plain copy print ?

structbinder_transaction_data{
/*ThefirsttwoareonlyusedforbcTRANSACTIONandbrTRANSACTION,
*identifyingthetargetandcontentsofthetransaction.
*/
union{
size_thandle;/*targetdescriptorofcommandtransaction*/
void*ptr;/*targetdescriptorofreturntransaction*/
}target;
void*cookie;/*targetobjectcookie*/
unsignedintcode;/*transactioncommand*/
/*Generalinformationaboutthetransaction.*/
unsignedintflags;
pid_tsender_pid;
uid_tsender_euid;
size_tdata_size;/*numberofbytesofdata*/
size_toffsets_size;/*numberofbytesofoffsets*/
/*Ifthistransactionisinline,thedataimmediately
*followshere;otherwise,itendswithapointerto
*thedatabuffer.
*/
union{
struct{
/*transactiondata*/
constvoid*buffer;
/*offsetsfrombuffertoflat_binder_objectstructs*/
constvoid*offsets;
}ptr;
uint8_tbuf[8];
}data;
};

struct binder_transaction_data {/* The first two are only used for bcTRANSACTION and brTRANSACTION, * identifying the target and contents of the transaction. */union {size_thandle;/* target descriptor of command transaction */void*ptr;/* target descriptor of return transaction */} target;void*cookie;/* target object cookie */unsigned intcode;/* transaction command *//* General information about the transaction. */unsigned intflags;pid_tsender_pid;uid_tsender_euid;size_tdata_size;/* number of bytes of data */size_toffsets_size;/* number of bytes of offsets *//* If this transaction is inline, the data immediately * follows here; otherwise, it ends with a pointer to * the data buffer. */union {struct {/* transaction data */const void*buffer;/* offsets from buffer to flat_binder_object structs */const void*offsets;} ptr;uint8_tbuf[8];} data;};

writeTransactionData函数的实现如下：

[cpp] view plain copy print ?

status_tIPCThreadState::writeTransactionData(int32_tcmd,uint32_tbinderFlags,
int32_thandle,uint32_tcode,constParcel&data,status_t*statusBuffer)
{
binder_transaction_datatr;
tr.target.handle=handle;
tr.code=code;
tr.flags=binderFlags;
conststatus_terr=data.errorCheck();
if(err==NO_ERROR){
tr.data_size=data.ipcDataSize();
tr.data.ptr.buffer=data.ipcData();
tr.offsets_size=data.ipcObjectsCount()*sizeof(size_t);
tr.data.ptr.offsets=data.ipcObjects();
}elseif(statusBuffer){
tr.flags|=TF_STATUS_CODE;
*statusBuffer=err;
tr.data_size=sizeof(status_t);
tr.data.ptr.buffer=statusBuffer;
tr.offsets_size=0;
tr.data.ptr.offsets=NULL;
}else{
return(mLastError=err);
}
mOut.writeInt32(cmd);
mOut.write(&tr,sizeof(tr));
returnNO_ERROR;
}

status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags,    int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer){    binder_transaction_data tr;    tr.target.handle = handle;    tr.code = code;    tr.flags = binderFlags;        const status_t err = data.errorCheck();    if (err == NO_ERROR) {        tr.data_size = data.ipcDataSize();        tr.data.ptr.buffer = data.ipcData();        tr.offsets_size = data.ipcObjectsCount()*sizeof(size_t);        tr.data.ptr.offsets = data.ipcObjects();    } else if (statusBuffer) {        tr.flags |= TF_STATUS_CODE;        *statusBuffer = err;        tr.data_size = sizeof(status_t);        tr.data.ptr.buffer = statusBuffer;        tr.offsets_size = 0;        tr.data.ptr.offsets = NULL;    } else {        return (mLastError = err);    }        mOut.writeInt32(cmd);    mOut.write(&tr, sizeof(tr));        return NO_ERROR;}

注意，这里的cmd为BC_TRANSACTION。这个函数很简单，在这个场景下，就是执行下面语句来初始化本地变量tr：

[cpp] view plain copy print ?

tr.data_size=data.ipcDataSize();
tr.data.ptr.buffer=data.ipcData();
tr.offsets_size=data.ipcObjectsCount()*sizeof(size_t);
tr.data.ptr.offsets=data.ipcObjects();

tr.data_size = data.ipcDataSize();tr.data.ptr.buffer = data.ipcData();tr.offsets_size = data.ipcObjectsCount()*sizeof(size_t);tr.data.ptr.offsets = data.ipcObjects();

回忆一下上面的内容，写入到tr.data.ptr.buffer的内容相当于下面的内容：

[cpp] view plain copy print ?

writeInt32(IPCThreadState::self()->getStrictModePolicy()|
STRICT_MODE_PENALTY_GATHER);
writeString16("android.os.IServiceManager");
writeString16("media.player");
writeStrongBinder(newMediaPlayerService());

writeInt32(IPCThreadState::self()->getStrictModePolicy() |               STRICT_MODE_PENALTY_GATHER);writeString16("android.os.IServiceManager");writeString16("media.player");writeStrongBinder(new MediaPlayerService());

其中包含了一个Binder实体MediaPlayerService，因此需要设置tr.offsets_size就为1，tr.data.ptr.offsets就指向了这个MediaPlayerService的地址在tr.data.ptr.buffer中的偏移量。最后，将tr的内容保存在IPCThreadState的成员变量mOut中。
回到IPCThreadState::transact函数中，接下去看，(flags & TF_ONE_WAY) == 0为true，并且reply不为空，所以最终进入到waitForResponse(reply)这条路径来。我们看一下waitForResponse函数的实现：

[cpp] view plain copy print ?

status_tIPCThreadState::waitForResponse(Parcel*reply,status_t*acquireResult)
{
int32_tcmd;
int32_terr;
while(1){
if((err=talkWithDriver())<NO_ERROR)break;
err=mIn.errorCheck();
if(err<NO_ERROR)break;
if(mIn.dataAvail()==0)continue;
cmd=mIn.readInt32();
IF_LOG_COMMANDS(){
alog<<"ProcessingwaitForResponseCommand:"
<<getReturnString(cmd)<<endl;
}
switch(cmd){
caseBR_TRANSACTION_COMPLETE:
if(!reply&&!acquireResult)gotofinish;
break;
caseBR_DEAD_REPLY:
err=DEAD_OBJECT;
gotofinish;
caseBR_FAILED_REPLY:
err=FAILED_TRANSACTION;
gotofinish;
caseBR_ACQUIRE_RESULT:
{
LOG_ASSERT(acquireResult!=NULL,"UnexpectedbrACQUIRE_RESULT");
constint32_tresult=mIn.readInt32();
if(!acquireResult)continue;
*acquireResult=result?NO_ERROR:INVALID_OPERATION;
}
gotofinish;
caseBR_REPLY:
{
binder_transaction_datatr;
err=mIn.read(&tr,sizeof(tr));
LOG_ASSERT(err==NO_ERROR,"NotenoughcommanddataforbrREPLY");
if(err!=NO_ERROR)gotofinish;
if(reply){
if((tr.flags&TF_STATUS_CODE)==0){
reply->ipcSetDataReference(
reinterpret_cast<constuint8_t*>(tr.data.ptr.buffer),
tr.data_size,
reinterpret_cast<constsize_t*>(tr.data.ptr.offsets),
tr.offsets_size/sizeof(size_t),
freeBuffer,this);
}else{
err=*static_cast<conststatus_t*>(tr.data.ptr.buffer);
freeBuffer(NULL,
reinterpret_cast<constuint8_t*>(tr.data.ptr.buffer),
tr.data_size,
reinterpret_cast<constsize_t*>(tr.data.ptr.offsets),
tr.offsets_size/sizeof(size_t),this);
}
}else{
freeBuffer(NULL,
reinterpret_cast<constuint8_t*>(tr.data.ptr.buffer),
tr.data_size,
reinterpret_cast<constsize_t*>(tr.data.ptr.offsets),
tr.offsets_size/sizeof(size_t),this);
continue;
}
}
gotofinish;
default:
err=executeCommand(cmd);
if(err!=NO_ERROR)gotofinish;
break;
}
}
finish:
if(err!=NO_ERROR){
if(acquireResult)*acquireResult=err;
if(reply)reply->setError(err);
mLastError=err;
}
returnerr;
}

status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult){    int32_t cmd;    int32_t err;    while (1) {        if ((err=talkWithDriver()) < NO_ERROR) break;        err = mIn.errorCheck();        if (err < NO_ERROR) break;        if (mIn.dataAvail() == 0) continue;                cmd = mIn.readInt32();                IF_LOG_COMMANDS() {            alog << "Processing waitForResponse Command: "                << getReturnString(cmd) << endl;        }        switch (cmd) {        case BR_TRANSACTION_COMPLETE:            if (!reply && !acquireResult) goto finish;            break;                case BR_DEAD_REPLY:            err = DEAD_OBJECT;            goto finish;        case BR_FAILED_REPLY:            err = FAILED_TRANSACTION;            goto finish;                case BR_ACQUIRE_RESULT:            {                LOG_ASSERT(acquireResult != NULL, "Unexpected brACQUIRE_RESULT");                const int32_t result = mIn.readInt32();                if (!acquireResult) continue;                *acquireResult = result ? NO_ERROR : INVALID_OPERATION;            }            goto finish;                case BR_REPLY:            {                binder_transaction_data tr;                err = mIn.read(&tr, sizeof(tr));                LOG_ASSERT(err == NO_ERROR, "Not enough command data for brREPLY");                if (err != NO_ERROR) goto finish;                if (reply) {                    if ((tr.flags & TF_STATUS_CODE) == 0) {                        reply->ipcSetDataReference(                            reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),                            tr.data_size,                            reinterpret_cast<const size_t*>(tr.data.ptr.offsets),                            tr.offsets_size/sizeof(size_t),                            freeBuffer, this);                    } else {                        err = *static_cast<const status_t*>(tr.data.ptr.buffer);                        freeBuffer(NULL,                            reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),                            tr.data_size,                            reinterpret_cast<const size_t*>(tr.data.ptr.offsets),                            tr.offsets_size/sizeof(size_t), this);                    }                } else {                    freeBuffer(NULL,                        reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),                        tr.data_size,                        reinterpret_cast<const size_t*>(tr.data.ptr.offsets),                        tr.offsets_size/sizeof(size_t), this);                    continue;                }            }            goto finish;        default:            err = executeCommand(cmd);            if (err != NO_ERROR) goto finish;            break;        }    }finish:    if (err != NO_ERROR) {        if (acquireResult) *acquireResult = err;        if (reply) reply->setError(err);        mLastError = err;    }        return err;}

这个函数虽然很长，但是主要调用了talkWithDriver函数来与Binder驱动程序进行交互：

[cpp] view plain copy print ?

status_tIPCThreadState::talkWithDriver(booldoReceive)
{
LOG_ASSERT(mProcess->mDriverFD>=0,"Binderdriverisnotopened");
binder_write_readbwr;
//Isthereadbufferempty?
constboolneedRead=mIn.dataPosition()>=mIn.dataSize();
//Wedon'twanttowriteanythingifwearestillreading
//fromdataleftintheinputbufferandthecaller
//hasrequestedtoreadthenextdata.
constsize_toutAvail=(!doReceive||needRead)?mOut.dataSize():0;
bwr.write_size=outAvail;
bwr.write_buffer=(longunsignedint)mOut.data();
//Thisiswhatwe'llread.
if(doReceive&&needRead){
bwr.read_size=mIn.dataCapacity();
bwr.read_buffer=(longunsignedint)mIn.data();
}else{
bwr.read_size=0;
}
IF_LOG_COMMANDS(){
TextOutput::Bundle_b(alog);
if(outAvail!=0){
alog<<"Sendingcommandstodriver:"<<indent;
constvoid*cmds=(constvoid*)bwr.write_buffer;
constvoid*end=((constuint8_t*)cmds)+bwr.write_size;
alog<<HexDump(cmds,bwr.write_size)<<endl;
while(cmds<end)cmds=printCommand(alog,cmds);
alog<<dedent;
}
alog<<"Sizeofreceivebuffer:"<<bwr.read_size
<<",needRead:"<<needRead<<",doReceive:"<<doReceive<<endl;
}
//Returnimmediatelyifthereisnothingtodo.
if((bwr.write_size==0)&&(bwr.read_size==0))returnNO_ERROR;
bwr.write_consumed=0;
bwr.read_consumed=0;
status_terr;
do{
IF_LOG_COMMANDS(){
alog<<"Abouttoread/write,writesize="<<mOut.dataSize()<<endl;
}
#ifdefined(HAVE_ANDROID_OS)
if(ioctl(mProcess->mDriverFD,BINDER_WRITE_READ,&bwr)>=0)
err=NO_ERROR;
else
err=-errno;
#else
err=INVALID_OPERATION;
#endif
IF_LOG_COMMANDS(){
alog<<"Finishedread/write,writesize="<<mOut.dataSize()<<endl;
}
}while(err==-EINTR);
IF_LOG_COMMANDS(){
alog<<"Ourerr:"<<(void*)err<<",writeconsumed:"
<<bwr.write_consumed<<"(of"<<mOut.dataSize()
<<"),readconsumed:"<<bwr.read_consumed<<endl;
}
if(err>=NO_ERROR){
if(bwr.write_consumed>0){
if(bwr.write_consumed<(ssize_t)mOut.dataSize())
mOut.remove(0,bwr.write_consumed);
else
mOut.setDataSize(0);
}
if(bwr.read_consumed>0){
mIn.setDataSize(bwr.read_consumed);
mIn.setDataPosition(0);
}
IF_LOG_COMMANDS(){
TextOutput::Bundle_b(alog);
alog<<"Remainingdatasize:"<<mOut.dataSize()<<endl;
alog<<"Receivedcommandsfromdriver:"<<indent;
constvoid*cmds=mIn.data();
constvoid*end=mIn.data()+mIn.dataSize();
alog<<HexDump(cmds,mIn.dataSize())<<endl;
while(cmds<end)cmds=printReturnCommand(alog,cmds);
alog<<dedent;
}
returnNO_ERROR;
}
returnerr;
}

status_t IPCThreadState::talkWithDriver(bool doReceive){    LOG_ASSERT(mProcess->mDriverFD >= 0, "Binder driver is not opened");        binder_write_read bwr;        // Is the read buffer empty?    const bool needRead = mIn.dataPosition() >= mIn.dataSize();        // We don't want to write anything if we are still reading    // from data left in the input buffer and the caller    // has requested to read the next data.    const size_t outAvail = (!doReceive || needRead) ? mOut.dataSize() : 0;        bwr.write_size = outAvail;    bwr.write_buffer = (long unsigned int)mOut.data();    // This is what we'll read.    if (doReceive && needRead) {        bwr.read_size = mIn.dataCapacity();        bwr.read_buffer = (long unsigned int)mIn.data();    } else {        bwr.read_size = 0;    }        IF_LOG_COMMANDS() {        TextOutput::Bundle _b(alog);        if (outAvail != 0) {            alog << "Sending commands to driver: " << indent;            const void* cmds = (const void*)bwr.write_buffer;            const void* end = ((const uint8_t*)cmds)+bwr.write_size;            alog << HexDump(cmds, bwr.write_size) << endl;            while (cmds < end) cmds = printCommand(alog, cmds);            alog << dedent;        }        alog << "Size of receive buffer: " << bwr.read_size            << ", needRead: " << needRead << ", doReceive: " << doReceive << endl;    }        // Return immediately if there is nothing to do.    if ((bwr.write_size == 0) && (bwr.read_size == 0)) return NO_ERROR;        bwr.write_consumed = 0;    bwr.read_consumed = 0;    status_t err;    do {        IF_LOG_COMMANDS() {            alog << "About to read/write, write size = " << mOut.dataSize() << endl;        }#if defined(HAVE_ANDROID_OS)        if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0)            err = NO_ERROR;        else            err = -errno;#else        err = INVALID_OPERATION;#endif        IF_LOG_COMMANDS() {            alog << "Finished read/write, write size = " << mOut.dataSize() << endl;        }    } while (err == -EINTR);        IF_LOG_COMMANDS() {        alog << "Our err: " << (void*)err << ", write consumed: "            << bwr.write_consumed << " (of " << mOut.dataSize()<< "), read consumed: " << bwr.read_consumed << endl;    }    if (err >= NO_ERROR) {        if (bwr.write_consumed > 0) {            if (bwr.write_consumed < (ssize_t)mOut.dataSize())                mOut.remove(0, bwr.write_consumed);            else                mOut.setDataSize(0);        }        if (bwr.read_consumed > 0) {            mIn.setDataSize(bwr.read_consumed);            mIn.setDataPosition(0);        }        IF_LOG_COMMANDS() {            TextOutput::Bundle _b(alog);            alog << "Remaining data size: " << mOut.dataSize() << endl;            alog << "Received commands from driver: " << indent;            const void* cmds = mIn.data();            const void* end = mIn.data() + mIn.dataSize();            alog << HexDump(cmds, mIn.dataSize()) << endl;            while (cmds < end) cmds = printReturnCommand(alog, cmds);            alog << dedent;        }        return NO_ERROR;    }        return err;}

这里doReceive和needRead均为1，有兴趣的读者可以自已分析一下。因此，这里告诉Binder驱动程序，先执行write操作，再执行read操作，下面我们将会看到。

最后，通过ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr)进行到Binder驱动程序的binder_ioctl函数，我们只关注cmd为BINDER_WRITE_READ的逻辑：

[cpp] view plain copy print ?

staticlongbinder_ioctl(structfile*filp,unsignedintcmd,unsignedlongarg)
{
intret;
structbinder_proc*proc=filp->private_data;
structbinder_thread*thread;
unsignedintsize=_IOC_SIZE(cmd);
void__user*ubuf=(void__user*)arg;
/*printk(KERN_INFO"binder_ioctl:%d:%d%x%lx\n",proc->pid,current->pid,cmd,arg);*/
ret=wait_event_interruptible(binder_user_error_wait,binder_stop_on_user_error<2);
if(ret)
returnret;
mutex_lock(&binder_lock);
thread=binder_get_thread(proc);
if(thread==NULL){
ret=-ENOMEM;
gotoerr;
}
switch(cmd){
caseBINDER_WRITE_READ:{
structbinder_write_readbwr;
if(size!=sizeof(structbinder_write_read)){
ret=-EINVAL;
gotoerr;
}
if(copy_from_user(&bwr,ubuf,sizeof(bwr))){
ret=-EFAULT;
gotoerr;
}
if(binder_debug_mask&BINDER_DEBUG_READ_WRITE)
printk(KERN_INFO"binder:%d:%dwrite%ldat%08lx,read%ldat%08lx\n",
proc->pid,thread->pid,bwr.write_size,bwr.write_buffer,bwr.read_size,bwr.read_buffer);
if(bwr.write_size>0){
ret=binder_thread_write(proc,thread,(void__user*)bwr.write_buffer,bwr.write_size,&bwr.write_consumed);
if(ret<0){
bwr.read_consumed=0;
if(copy_to_user(ubuf,&bwr,sizeof(bwr)))
ret=-EFAULT;
gotoerr;
}
}
if(bwr.read_size>0){
ret=binder_thread_read(proc,thread,(void__user*)bwr.read_buffer,bwr.read_size,&bwr.read_consumed,filp->f_flags&O_NONBLOCK);
if(!list_empty(&proc->todo))
wake_up_interruptible(&proc->wait);
if(ret<0){
if(copy_to_user(ubuf,&bwr,sizeof(bwr)))
ret=-EFAULT;
gotoerr;
}
}
if(binder_debug_mask&BINDER_DEBUG_READ_WRITE)
printk(KERN_INFO"binder:%d:%dwrote%ldof%ld,readreturn%ldof%ld\n",
proc->pid,thread->pid,bwr.write_consumed,bwr.write_size,bwr.read_consumed,bwr.read_size);
if(copy_to_user(ubuf,&bwr,sizeof(bwr))){
ret=-EFAULT;
gotoerr;
}
break;
}
......
}
ret=0;
err:
......
returnret;
}

static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg){int ret;struct binder_proc *proc = filp->private_data;struct binder_thread *thread;unsigned int size = _IOC_SIZE(cmd);void __user *ubuf = (void __user *)arg;/*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);if (ret)return ret;mutex_lock(&binder_lock);thread = binder_get_thread(proc);if (thread == NULL) {ret = -ENOMEM;goto err;}switch (cmd) {case BINDER_WRITE_READ: {struct binder_write_read bwr;if (size != sizeof(struct binder_write_read)) {ret = -EINVAL;goto err;}if (copy_from_user(&bwr, ubuf, sizeof(bwr))) {ret = -EFAULT;goto err;}if (binder_debug_mask & BINDER_DEBUG_READ_WRITE)printk(KERN_INFO "binder: %d:%d write %ld at %08lx, read %ld at %08lx\n",proc->pid, thread->pid, bwr.write_size, bwr.write_buffer, bwr.read_size, bwr.read_buffer);if (bwr.write_size > 0) {ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed);if (ret < 0) {bwr.read_consumed = 0;if (copy_to_user(ubuf, &bwr, sizeof(bwr)))ret = -EFAULT;goto err;}}if (bwr.read_size > 0) {ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK);if (!list_empty(&proc->todo))wake_up_interruptible(&proc->wait);if (ret < 0) {if (copy_to_user(ubuf, &bwr, sizeof(bwr)))ret = -EFAULT;goto err;}}if (binder_debug_mask & BINDER_DEBUG_READ_WRITE)printk(KERN_INFO "binder: %d:%d wrote %ld of %ld, read return %ld of %ld\n",proc->pid, thread->pid, bwr.write_consumed, bwr.write_size, bwr.read_consumed, bwr.read_size);if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {ret = -EFAULT;goto err;}break;}......}ret = 0;err:......return ret;}

函数首先是将用户传进来的参数拷贝到本地变量struct binder_write_read bwr中去。这里bwr.write_size > 0为true，因此，进入到binder_thread_write函数中，我们只关注BC_TRANSACTION部分的逻辑：

[cpp] view plain copy print ?

binder_thread_write(structbinder_proc*proc,structbinder_thread*thread,
void__user*buffer,intsize,signedlong*consumed)
{
uint32_tcmd;
void__user*ptr=buffer+*consumed;
void__user*end=buffer+size;
while(ptr<end&&thread->return_error==BR_OK){
if(get_user(cmd,(uint32_t__user*)ptr))
return-EFAULT;
ptr+=sizeof(uint32_t);
if(_IOC_NR(cmd)<ARRAY_SIZE(binder_stats.bc)){
binder_stats.bc[_IOC_NR(cmd)]++;
proc->stats.bc[_IOC_NR(cmd)]++;
thread->stats.bc[_IOC_NR(cmd)]++;
}
switch(cmd){
.....
caseBC_TRANSACTION:
caseBC_REPLY:{
structbinder_transaction_datatr;
if(copy_from_user(&tr,ptr,sizeof(tr)))
return-EFAULT;
ptr+=sizeof(tr);
binder_transaction(proc,thread,&tr,cmd==BC_REPLY);
break;
}
......
}
*consumed=ptr-buffer;
}
return0;
}

binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,void __user *buffer, int size, signed long *consumed){uint32_t cmd;void __user *ptr = buffer + *consumed;void __user *end = buffer + size;while (ptr < end && thread->return_error == BR_OK) {if (get_user(cmd, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) {binder_stats.bc[_IOC_NR(cmd)]++;proc->stats.bc[_IOC_NR(cmd)]++;thread->stats.bc[_IOC_NR(cmd)]++;}switch (cmd) {        .....case BC_TRANSACTION:case BC_REPLY: {struct binder_transaction_data tr;if (copy_from_user(&tr, ptr, sizeof(tr)))return -EFAULT;ptr += sizeof(tr);binder_transaction(proc, thread, &tr, cmd == BC_REPLY);break;}......}*consumed = ptr - buffer;}return 0;}

首先将用户传进来的transact参数拷贝在本地变量struct binder_transaction_data tr中去，接着调用binder_transaction函数进一步处理，这里我们忽略掉无关代码：

[cpp] view plain copy print ?

staticvoid
binder_transaction(structbinder_proc*proc,structbinder_thread*thread,
structbinder_transaction_data*tr,intreply)
{
structbinder_transaction*t;
structbinder_work*tcomplete;
size_t*offp,*off_end;
structbinder_proc*target_proc;
structbinder_thread*target_thread=NULL;
structbinder_node*target_node=NULL;
structlist_head*target_list;
wait_queue_head_t*target_wait;
structbinder_transaction*in_reply_to=NULL;
structbinder_transaction_log_entry*e;
uint32_treturn_error;
......
if(reply){
......
}else{
if(tr->target.handle){
......
}else{
target_node=binder_context_mgr_node;
if(target_node==NULL){
return_error=BR_DEAD_REPLY;
gotoerr_no_context_mgr_node;
}
}
......
target_proc=target_node->proc;
if(target_proc==NULL){
return_error=BR_DEAD_REPLY;
gotoerr_dead_binder;
}
......
}
if(target_thread){
......
}else{
target_list=&target_proc->todo;
target_wait=&target_proc->wait;
}
......
/*TODO:reuseincomingtransactionforreply*/
t=kzalloc(sizeof(*t),GFP_KERNEL);
if(t==NULL){
return_error=BR_FAILED_REPLY;
gotoerr_alloc_t_failed;
}
......
tcomplete=kzalloc(sizeof(*tcomplete),GFP_KERNEL);
if(tcomplete==NULL){
return_error=BR_FAILED_REPLY;
gotoerr_alloc_tcomplete_failed;
}
......
if(!reply&&!(tr->flags&TF_ONE_WAY))
t->from=thread;
else
t->from=NULL;
t->sender_euid=proc->tsk->cred->euid;
t->to_proc=target_proc;
t->to_thread=target_thread;
t->code=tr->code;
t->flags=tr->flags;
t->priority=task_nice(current);
t->buffer=binder_alloc_buf(target_proc,tr->data_size,
tr->offsets_size,!reply&&(t->flags&TF_ONE_WAY));
if(t->buffer==NULL){
return_error=BR_FAILED_REPLY;
gotoerr_binder_alloc_buf_failed;
}
t->buffer->allow_user_free=0;
t->buffer->debug_id=t->debug_id;
t->buffer->transaction=t;
t->buffer->target_node=target_node;
if(target_node)
binder_inc_node(target_node,1,0,NULL);
offp=(size_t*)(t->buffer->data+ALIGN(tr->data_size,sizeof(void*)));
if(copy_from_user(t->buffer->data,tr->data.ptr.buffer,tr->data_size)){
......
return_error=BR_FAILED_REPLY;
gotoerr_copy_data_failed;
}
if(copy_from_user(offp,tr->data.ptr.offsets,tr->offsets_size)){
......
return_error=BR_FAILED_REPLY;
gotoerr_copy_data_failed;
}
......
off_end=(void*)offp+tr->offsets_size;
for(;offp<off_end;offp++){
structflat_binder_object*fp;
......
fp=(structflat_binder_object*)(t->buffer->data+*offp);
switch(fp->type){
caseBINDER_TYPE_BINDER:
caseBINDER_TYPE_WEAK_BINDER:{
structbinder_ref*ref;
structbinder_node*node=binder_get_node(proc,fp->binder);
if(node==NULL){
node=binder_new_node(proc,fp->binder,fp->cookie);
if(node==NULL){
return_error=BR_FAILED_REPLY;
gotoerr_binder_new_node_failed;
}
node->min_priority=fp->flags&FLAT_BINDER_FLAG_PRIORITY_MASK;
node->accept_fds=!!(fp->flags&FLAT_BINDER_FLAG_ACCEPTS_FDS);
}
if(fp->cookie!=node->cookie){
......
gotoerr_binder_get_ref_for_node_failed;
}
ref=binder_get_ref_for_node(target_proc,node);
if(ref==NULL){
return_error=BR_FAILED_REPLY;
gotoerr_binder_get_ref_for_node_failed;
}
if(fp->type==BINDER_TYPE_BINDER)
fp->type=BINDER_TYPE_HANDLE;
else
fp->type=BINDER_TYPE_WEAK_HANDLE;
fp->handle=ref->desc;
binder_inc_ref(ref,fp->type==BINDER_TYPE_HANDLE,&thread->todo);
......
}break;
......
}
}
if(reply){
......
}elseif(!(t->flags&TF_ONE_WAY)){
BUG_ON(t->buffer->async_transaction!=0);
t->need_reply=1;
t->from_parent=thread->transaction_stack;
thread->transaction_stack=t;
}else{
......
}
t->work.type=BINDER_WORK_TRANSACTION;
list_add_tail(&t->work.entry,target_list);
tcomplete->type=BINDER_WORK_TRANSACTION_COMPLETE;
list_add_tail(&tcomplete->entry,&thread->todo);
if(target_wait)
wake_up_interruptible(target_wait);
return;
......
}

static voidbinder_transaction(struct binder_proc *proc, struct binder_thread *thread,struct binder_transaction_data *tr, int reply){struct binder_transaction *t;struct binder_work *tcomplete;size_t *offp, *off_end;struct binder_proc *target_proc;struct binder_thread *target_thread = NULL;struct binder_node *target_node = NULL;struct list_head *target_list;wait_queue_head_t *target_wait;struct binder_transaction *in_reply_to = NULL;struct binder_transaction_log_entry *e;uint32_t return_error;        ......if (reply) {         ......} else {if (tr->target.handle) {            ......} else {target_node = binder_context_mgr_node;if (target_node == NULL) {return_error = BR_DEAD_REPLY;goto err_no_context_mgr_node;}}......target_proc = target_node->proc;if (target_proc == NULL) {return_error = BR_DEAD_REPLY;goto err_dead_binder;}......}if (target_thread) {......} else {target_list = &target_proc->todo;target_wait = &target_proc->wait;}....../* TODO: reuse incoming transaction for reply */t = kzalloc(sizeof(*t), GFP_KERNEL);if (t == NULL) {return_error = BR_FAILED_REPLY;goto err_alloc_t_failed;}......tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);if (tcomplete == NULL) {return_error = BR_FAILED_REPLY;goto err_alloc_tcomplete_failed;}......if (!reply && !(tr->flags & TF_ONE_WAY))t->from = thread;elset->from = NULL;t->sender_euid = proc->tsk->cred->euid;t->to_proc = target_proc;t->to_thread = target_thread;t->code = tr->code;t->flags = tr->flags;t->priority = task_nice(current);t->buffer = binder_alloc_buf(target_proc, tr->data_size,tr->offsets_size, !reply && (t->flags & TF_ONE_WAY));if (t->buffer == NULL) {return_error = BR_FAILED_REPLY;goto err_binder_alloc_buf_failed;}t->buffer->allow_user_free = 0;t->buffer->debug_id = t->debug_id;t->buffer->transaction = t;t->buffer->target_node = target_node;if (target_node)binder_inc_node(target_node, 1, 0, NULL);offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *)));if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) {......return_error = BR_FAILED_REPLY;goto err_copy_data_failed;}if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) {......return_error = BR_FAILED_REPLY;goto err_copy_data_failed;}......off_end = (void *)offp + tr->offsets_size;for (; offp < off_end; offp++) {struct flat_binder_object *fp;......fp = (struct flat_binder_object *)(t->buffer->data + *offp);switch (fp->type) {case BINDER_TYPE_BINDER:case BINDER_TYPE_WEAK_BINDER: {struct binder_ref *ref;struct binder_node *node = binder_get_node(proc, fp->binder);if (node == NULL) {node = binder_new_node(proc, fp->binder, fp->cookie);if (node == NULL) {return_error = BR_FAILED_REPLY;goto err_binder_new_node_failed;}node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK;node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);}if (fp->cookie != node->cookie) {......goto err_binder_get_ref_for_node_failed;}ref = binder_get_ref_for_node(target_proc, node);if (ref == NULL) {return_error = BR_FAILED_REPLY;goto err_binder_get_ref_for_node_failed;}if (fp->type == BINDER_TYPE_BINDER)fp->type = BINDER_TYPE_HANDLE;elsefp->type = BINDER_TYPE_WEAK_HANDLE;fp->handle = ref->desc;binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, &thread->todo);......  } break;......}}if (reply) {......} else if (!(t->flags & TF_ONE_WAY)) {BUG_ON(t->buffer->async_transaction != 0);t->need_reply = 1;t->from_parent = thread->transaction_stack;thread->transaction_stack = t;} else {......}t->work.type = BINDER_WORK_TRANSACTION;list_add_tail(&t->work.entry, target_list);tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;list_add_tail(&tcomplete->entry, &thread->todo);if (target_wait)wake_up_interruptible(target_wait);return;    ......}

注意，这里传进来的参数reply为0，tr->target.handle也为0。因此，target_proc、target_thread、target_node、target_list和target_wait的值分别为：

[cpp] view plain copy print ?

target_node=binder_context_mgr_node;
target_proc=target_node->proc;
target_list=&target_proc->todo;
target_wait=&target_proc->wait;

target_node = binder_context_mgr_node;target_proc = target_node->proc;target_list = &target_proc->todo;target_wait = &target_proc->wait;

接着，分配了一个待处理事务t和一个待完成工作项tcomplete，并执行初始化工作：

[cpp] view plain copy print ?

/*TODO:reuseincomingtransactionforreply*/
t=kzalloc(sizeof(*t),GFP_KERNEL);
if(t==NULL){
return_error=BR_FAILED_REPLY;
gotoerr_alloc_t_failed;
}
......
tcomplete=kzalloc(sizeof(*tcomplete),GFP_KERNEL);
if(tcomplete==NULL){
return_error=BR_FAILED_REPLY;
gotoerr_alloc_tcomplete_failed;
}
......
if(!reply&&!(tr->flags&TF_ONE_WAY))
t->from=thread;
else
t->from=NULL;
t->sender_euid=proc->tsk->cred->euid;
t->to_proc=target_proc;
t->to_thread=target_thread;
t->code=tr->code;
t->flags=tr->flags;
t->priority=task_nice(current);
t->buffer=binder_alloc_buf(target_proc,tr->data_size,
tr->offsets_size,!reply&&(t->flags&TF_ONE_WAY));
if(t->buffer==NULL){
return_error=BR_FAILED_REPLY;
gotoerr_binder_alloc_buf_failed;
}
t->buffer->allow_user_free=0;
t->buffer->debug_id=t->debug_id;
t->buffer->transaction=t;
t->buffer->target_node=target_node;
if(target_node)
binder_inc_node(target_node,1,0,NULL);
offp=(size_t*)(t->buffer->data+ALIGN(tr->data_size,sizeof(void*)));
if(copy_from_user(t->buffer->data,tr->data.ptr.buffer,tr->data_size)){
......
return_error=BR_FAILED_REPLY;
gotoerr_copy_data_failed;
}
if(copy_from_user(offp,tr->data.ptr.offsets,tr->offsets_size)){
......
return_error=BR_FAILED_REPLY;
gotoerr_copy_data_failed;
}

/* TODO: reuse incoming transaction for reply */t = kzalloc(sizeof(*t), GFP_KERNEL);if (t == NULL) {return_error = BR_FAILED_REPLY;goto err_alloc_t_failed;}......tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);if (tcomplete == NULL) {return_error = BR_FAILED_REPLY;goto err_alloc_tcomplete_failed;}......if (!reply && !(tr->flags & TF_ONE_WAY))t->from = thread;elset->from = NULL;t->sender_euid = proc->tsk->cred->euid;t->to_proc = target_proc;t->to_thread = target_thread;t->code = tr->code;t->flags = tr->flags;t->priority = task_nice(current);t->buffer = binder_alloc_buf(target_proc, tr->data_size,tr->offsets_size, !reply && (t->flags & TF_ONE_WAY));if (t->buffer == NULL) {return_error = BR_FAILED_REPLY;goto err_binder_alloc_buf_failed;}t->buffer->allow_user_free = 0;t->buffer->debug_id = t->debug_id;t->buffer->transaction = t;t->buffer->target_node = target_node;if (target_node)binder_inc_node(target_node, 1, 0, NULL);offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *)));if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) {......return_error = BR_FAILED_REPLY;goto err_copy_data_failed;}if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) {......return_error = BR_FAILED_REPLY;goto err_copy_data_failed;}

注意，这里的事务t是要交给target_proc处理的，在这个场景之下，就是Service Manager了。因此，下面的语句：

[cpp] view plain copy print ?

t->buffer=binder_alloc_buf(target_proc,tr->data_size,
tr->offsets_size,!reply&&(t->flags&TF_ONE_WAY));

t->buffer = binder_alloc_buf(target_proc, tr->data_size,tr->offsets_size, !reply && (t->flags & TF_ONE_WAY));

就是在Service Manager的进程空间中分配一块内存来保存用户传进入的参数了：

[cpp] view plain copy print ?

if(copy_from_user(t->buffer->data,tr->data.ptr.buffer,tr->data_size)){
......
return_error=BR_FAILED_REPLY;
gotoerr_copy_data_failed;
}
if(copy_from_user(offp,tr->data.ptr.offsets,tr->offsets_size)){
......
return_error=BR_FAILED_REPLY;
gotoerr_copy_data_failed;
}

if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) {......return_error = BR_FAILED_REPLY;goto err_copy_data_failed;}if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) {......return_error = BR_FAILED_REPLY;goto err_copy_data_failed;}

由于现在target_node要被使用了，增加它的引用计数：

[cpp] view plain copy print ?

if(target_node)
binder_inc_node(target_node,1,0,NULL);

if (target_node)binder_inc_node(target_node, 1, 0, NULL);

接下去的for循环，就是用来处理传输数据中的Binder对象了。在我们的场景中，有一个类型为BINDER_TYPE_BINDER的Binder实体MediaPlayerService：

[cpp] view plain copy print ?

switch(fp->type){
caseBINDER_TYPE_BINDER:
caseBINDER_TYPE_WEAK_BINDER:{
structbinder_ref*ref;
structbinder_node*node=binder_get_node(proc,fp->binder);
if(node==NULL){
node=binder_new_node(proc,fp->binder,fp->cookie);
if(node==NULL){
return_error=BR_FAILED_REPLY;
gotoerr_binder_new_node_failed;
}
node->min_priority=fp->flags&FLAT_BINDER_FLAG_PRIORITY_MASK;
node->accept_fds=!!(fp->flags&FLAT_BINDER_FLAG_ACCEPTS_FDS);
}
if(fp->cookie!=node->cookie){
......
gotoerr_binder_get_ref_for_node_failed;
}
ref=binder_get_ref_for_node(target_proc,node);
if(ref==NULL){
return_error=BR_FAILED_REPLY;
gotoerr_binder_get_ref_for_node_failed;
}
if(fp->type==BINDER_TYPE_BINDER)
fp->type=BINDER_TYPE_HANDLE;
else
fp->type=BINDER_TYPE_WEAK_HANDLE;
fp->handle=ref->desc;
binder_inc_ref(ref,fp->type==BINDER_TYPE_HANDLE,&thread->todo);
......
}break;

    switch (fp->type) {    case BINDER_TYPE_BINDER:    case BINDER_TYPE_WEAK_BINDER: {struct binder_ref *ref;struct binder_node *node = binder_get_node(proc, fp->binder);if (node == NULL) {node = binder_new_node(proc, fp->binder, fp->cookie);if (node == NULL) {return_error = BR_FAILED_REPLY;goto err_binder_new_node_failed;}node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK;node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);}if (fp->cookie != node->cookie) {......goto err_binder_get_ref_for_node_failed;}ref = binder_get_ref_for_node(target_proc, node);if (ref == NULL) {return_error = BR_FAILED_REPLY;goto err_binder_get_ref_for_node_failed;}if (fp->type == BINDER_TYPE_BINDER)fp->type = BINDER_TYPE_HANDLE;elsefp->type = BINDER_TYPE_WEAK_HANDLE;fp->handle = ref->desc;binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE, &thread->todo);......  } break;

由于是第一次在Binder驱动程序中传输这个MediaPlayerService，调用binder_get_node函数查询这个Binder实体时，会返回空，于是binder_new_node在proc中新建一个，下次就可以直接使用了。

现在，由于要把这个Binder实体MediaPlayerService交给target_proc，也就是Service Manager来管理，也就是说Service Manager要引用这个MediaPlayerService了，于是通过binder_get_ref_for_node为MediaPlayerService创建一个引用，并且通过binder_inc_ref来增加这个引用计数，防止这个引用还在使用过程当中就被销毁。注意，到了这里的时候，t->buffer中的flat_binder_obj的type已经改为BINDER_TYPE_HANDLE，handle已经改为ref->desc，跟原来不一样了，因为这个flat_binder_obj是最终是要传给Service Manager的，而Service Manager只能够通过句柄值来引用这个Binder实体。

最后，把待处理事务加入到target_list列表中去：

[cpp] view plain copy print ?

list_add_tail(&t->work.entry,target_list);

list_add_tail(&t->work.entry, target_list);

并且把待完成工作项加入到本线程的todo等待执行列表中去：

[cpp] view plain copy print ?

list_add_tail(&tcomplete->entry,&thread->todo);

list_add_tail(&tcomplete->entry, &thread->todo);

现在目标进程有事情可做了，于是唤醒它：

[cpp] view plain copy print ?

if(target_wait)
wake_up_interruptible(target_wait);

if (target_wait)wake_up_interruptible(target_wait);

这里就是要唤醒Service Manager进程了。回忆一下前面浅谈Service Manager成为Android进程间通信（IPC）机制Binder守护进程之路这篇文章，此时， Service Manager正在binder_thread_read函数中调用wait_event_interruptible进入休眠状态。

这里我们先忽略一下Service Manager被唤醒之后的场景，继续MedaPlayerService的启动过程，然后再回来。

回到binder_ioctl函数，bwr.read_size > 0为true，于是进入binder_thread_read函数：

[cpp] view plain copy print ?

staticint
binder_thread_read(structbinder_proc*proc,structbinder_thread*thread,
void__user*buffer,intsize,signedlong*consumed,intnon_block)
{
void__user*ptr=buffer+*consumed;
void__user*end=buffer+size;
intret=0;
intwait_for_proc_work;
if(*consumed==0){
if(put_user(BR_NOOP,(uint32_t__user*)ptr))
return-EFAULT;
ptr+=sizeof(uint32_t);
}
retry:
wait_for_proc_work=thread->transaction_stack==NULL&&list_empty(&thread->todo);
.......
if(wait_for_proc_work){
.......
}else{
if(non_block){
if(!binder_has_thread_work(thread))
ret=-EAGAIN;
}else
ret=wait_event_interruptible(thread->wait,binder_has_thread_work(thread));
}
......
while(1){
uint32_tcmd;
structbinder_transaction_datatr;
structbinder_work*w;
structbinder_transaction*t=NULL;
if(!list_empty(&thread->todo))
w=list_first_entry(&thread->todo,structbinder_work,entry);
elseif(!list_empty(&proc->todo)&&wait_for_proc_work)
w=list_first_entry(&proc->todo,structbinder_work,entry);
else{
if(ptr-buffer==4&&!(thread->looper&BINDER_LOOPER_STATE_NEED_RETURN))/*nodataadded*/
gotoretry;
break;
}
if(end-ptr<sizeof(tr)+4)
break;
switch(w->type){
......
caseBINDER_WORK_TRANSACTION_COMPLETE:{
cmd=BR_TRANSACTION_COMPLETE;
if(put_user(cmd,(uint32_t__user*)ptr))
return-EFAULT;
ptr+=sizeof(uint32_t);
binder_stat_br(proc,thread,cmd);
if(binder_debug_mask&BINDER_DEBUG_TRANSACTION_COMPLETE)
printk(KERN_INFO"binder:%d:%dBR_TRANSACTION_COMPLETE\n",
proc->pid,thread->pid);
list_del(&w->entry);
kfree(w);
binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++;
}break;
......
}
if(!t)
continue;
......
}
done:
......
return0;
}

static intbinder_thread_read(struct binder_proc *proc, struct binder_thread *thread,   void  __user *buffer, int size, signed long *consumed, int non_block){void __user *ptr = buffer + *consumed;void __user *end = buffer + size;int ret = 0;int wait_for_proc_work;if (*consumed == 0) {if (put_user(BR_NOOP, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);}retry:wait_for_proc_work = thread->transaction_stack == NULL && list_empty(&thread->todo);.......if (wait_for_proc_work) {.......} else {if (non_block) {if (!binder_has_thread_work(thread))ret = -EAGAIN;} elseret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread));}......while (1) {uint32_t cmd;struct binder_transaction_data tr;struct binder_work *w;struct binder_transaction *t = NULL;if (!list_empty(&thread->todo))w = list_first_entry(&thread->todo, struct binder_work, entry);else if (!list_empty(&proc->todo) && wait_for_proc_work)w = list_first_entry(&proc->todo, struct binder_work, entry);else {if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */goto retry;break;}if (end - ptr < sizeof(tr) + 4)break;switch (w->type) {......case BINDER_WORK_TRANSACTION_COMPLETE: {cmd = BR_TRANSACTION_COMPLETE;if (put_user(cmd, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);binder_stat_br(proc, thread, cmd);if (binder_debug_mask & BINDER_DEBUG_TRANSACTION_COMPLETE)printk(KERN_INFO "binder: %d:%d BR_TRANSACTION_COMPLETE\n",proc->pid, thread->pid);list_del(&w->entry);kfree(w);binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++;   } break;......}if (!t)continue;......}done:......return 0;}

这里，thread->transaction_stack和thread->todo均不为空，于是wait_for_proc_work为false，由于binder_has_thread_work的时候，返回true，这里因为thread->todo不为空，因此，线程虽然调用了wait_event_interruptible，但是不会睡眠，于是继续往下执行。

由于thread->todo不为空，执行下列语句：

[cpp] view plain copy print ?

if(!list_empty(&thread->todo))
w=list_first_entry(&thread->todo,structbinder_work,entry);

if (!list_empty(&thread->todo))     w = list_first_entry(&thread->todo, struct binder_work, entry);

w->type为BINDER_WORK_TRANSACTION_COMPLETE，这是在上面的binder_transaction函数设置的，于是执行：

[cpp] view plain copy print ?

switch(w->type){
......
caseBINDER_WORK_TRANSACTION_COMPLETE:{
cmd=BR_TRANSACTION_COMPLETE;
if(put_user(cmd,(uint32_t__user*)ptr))
return-EFAULT;
ptr+=sizeof(uint32_t);
......
list_del(&w->entry);
kfree(w);
}break;
......
}

    switch (w->type) {    ......    case BINDER_WORK_TRANSACTION_COMPLETE: {cmd = BR_TRANSACTION_COMPLETE;if (put_user(cmd, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);        ......list_del(&w->entry);kfree(w);} break;......    }

这里就将w从thread->todo删除了。由于这里t为空，重新执行while循环，这时由于已经没有事情可做了，最后就返回到binder_ioctl函数中。注间，这里一共往用户传进来的缓冲区buffer写入了两个整数，分别是BR_NOOP和BR_TRANSACTION_COMPLETE。

binder_ioctl函数返回到用户空间之前，把数据消耗情况拷贝回用户空间中：

[cpp] view plain copy print ?

if(copy_to_user(ubuf,&bwr,sizeof(bwr))){
ret=-EFAULT;
gotoerr;
}

if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {ret = -EFAULT;goto err;}

最后返回到IPCThreadState::talkWithDriver函数中，执行下面语句：

[cpp] view plain copy print ?

if(err>=NO_ERROR){
if(bwr.write_consumed>0){
if(bwr.write_consumed<(ssize_t)mOut.dataSize())
mOut.remove(0,bwr.write_consumed);
else
mOut.setDataSize(0);
}
if(bwr.read_consumed>0){
<PREclass=cppname="code">mIn.setDataSize(bwr.read_consumed);
mIn.setDataPosition(0);</PRE>}......returnNO_ERROR;}

    if (err >= NO_ERROR) {        if (bwr.write_consumed > 0) {            if (bwr.write_consumed < (ssize_t)mOut.dataSize())                mOut.remove(0, bwr.write_consumed);            else                mOut.setDataSize(0);        }        if (bwr.read_consumed > 0) {                                                                       [cpp] view plain copy print ?                                                      mIn.setDataSize(bwr.read_consumed);
         mIn.setDataPosition(0);
        
                                    mIn.setDataSize(bwr.read_consumed);            mIn.setDataPosition(0);
 } ...... return NO_ERROR; }
   首先是把mOut的数据清空：
                                                                       [cpp] view plain copy print ?                                                      mOut.setDataSize(0);
        
                            mOut.setDataSize(0);
   然后设置已经读取的内容的大小：
                                                                       [cpp] view plain copy print ?                                                      mIn.setDataSize(bwr.read_consumed);
         mIn.setDataPosition(0);
        
                            mIn.setDataSize(bwr.read_consumed);    mIn.setDataPosition(0);
   然后返回到IPCThreadState::waitForResponse函数中。在IPCThreadState::waitForResponse函数，先是从mIn读出一个整数，这个便是BR_NOOP了，这是一个空操作，什么也不做。然后继续进入IPCThreadState::talkWithDriver函数中。
   这时候，下面语句执行后：
                                                                       [cpp] view plain copy print ?                                                      constboolneedRead=mIn.dataPosition()>=mIn.dataSize();
        
                        const bool needRead = mIn.dataPosition() >= mIn.dataSize();
   needRead为false，因为在mIn中，尚有一个整数BR_TRANSACTION_COMPLETE未读出。
   这时候，下面语句执行后：
                                                                       [cpp] view plain copy print ?                                                      constsize_toutAvail=(!doReceive||needRead)?mOut.dataSize():0;
        
                        const size_t outAvail = (!doReceive || needRead) ? mOut.dataSize() : 0;
   outAvail等于0。因此，最后bwr.write_size和bwr.read_size均为0，IPCThreadState::talkWithDriver函数什么也不做，直接返回到IPCThreadState::waitForResponse函数中。在IPCThreadState::waitForResponse函数，又继续从mIn读出一个整数，这个便是BR_TRANSACTION_COMPLETE：
                                                                       [cpp] view plain copy print ?                                                      switch(cmd){
         caseBR_TRANSACTION_COMPLETE:
         if(!reply&&!acquireResult)gotofinish;
         break;
         ......
         }
        
                        switch (cmd) {case BR_TRANSACTION_COMPLETE:       if (!reply && !acquireResult) goto finish;       break;......}
   reply不为NULL，因此，IPCThreadState::waitForResponse的循环没有结束，继续执行，又进入到IPCThreadState::talkWithDrive中。
   这次，needRead就为true了，而outAvail仍为0，所以bwr.read_size不为0，bwr.write_size为0。于是通过：
                                                                       [cpp] view plain copy print ?                                                      ioctl(mProcess->mDriverFD,BINDER_WRITE_READ,&bwr)
        
                        ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr)
   进入到Binder驱动程序中的binder_ioctl函数中。由于bwr.write_size为0，bwr.read_size不为0，这次直接就进入到binder_thread_read函数中。这时候，thread->transaction_stack不等于0，但是thread->todo为空，于是线程就通过：
                                                                       [cpp] view plain copy print ?                                                      wait_event_interruptible(thread->wait,binder_has_thread_work(thread));
        
                        wait_event_interruptible(thread->wait, binder_has_thread_work(thread));
   进入睡眠状态，等待Service Manager来唤醒了。
   现在，我们可以回到Service Manager被唤醒的过程了。我们接着前面浅谈Service Manager成为Android进程间通信（IPC）机制Binder守护进程之路这篇文章的最后，继续描述。此时， Service Manager正在binder_thread_read函数中调用wait_event_interruptible_exclusive进入休眠状态。上面被MediaPlayerService启动后进程唤醒后，继续执行binder_thread_read函数：
                                                                       [cpp] view plain copy print ?                                                      staticint
         binder_thread_read(structbinder_proc*proc,structbinder_thread*thread,
         void__user*buffer,intsize,signedlong*consumed,intnon_block)
         {
         void__user*ptr=buffer+*consumed;
         void__user*end=buffer+size;
         
         intret=0;
         intwait_for_proc_work;
         
         if(*consumed==0){
         if(put_user(BR_NOOP,(uint32_t__user*)ptr))
         return-EFAULT;
         ptr+=sizeof(uint32_t);
         }
         
         retry:
         wait_for_proc_work=thread->transaction_stack==NULL&&list_empty(&thread->todo);
         
         ......
         
         if(wait_for_proc_work){
         ......
         if(non_block){
         if(!binder_has_proc_work(proc,thread))
         ret=-EAGAIN;
         }else
         ret=wait_event_interruptible_exclusive(proc->wait,binder_has_proc_work(proc,thread));
         }else{
         ......
         }
         
         ......
         
         while(1){
         uint32_tcmd;
         structbinder_transaction_datatr;
         structbinder_work*w;
         structbinder_transaction*t=NULL;
         
         if(!list_empty(&thread->todo))
         w=list_first_entry(&thread->todo,structbinder_work,entry);
         elseif(!list_empty(&proc->todo)&&wait_for_proc_work)
         w=list_first_entry(&proc->todo,structbinder_work,entry);
         else{
         if(ptr-buffer==4&&!(thread->looper&BINDER_LOOPER_STATE_NEED_RETURN))/*nodataadded*/
         gotoretry;
         break;
         }
         
         if(end-ptr<sizeof(tr)+4)
         break;
         
         switch(w->type){
         caseBINDER_WORK_TRANSACTION:{
         t=container_of(w,structbinder_transaction,work);
         }break;
         ......
         }
         
         if(!t)
         continue;
         
         BUG_ON(t->buffer==NULL);
         if(t->buffer->target_node){
         structbinder_node*target_node=t->buffer->target_node;
         tr.target.ptr=target_node->ptr;
         tr.cookie=target_node->cookie;
         ......
         cmd=BR_TRANSACTION;
         }else{
         ......
         }
         tr.code=t->code;
         tr.flags=t->flags;
         tr.sender_euid=t->sender_euid;
         
         if(t->from){
         structtask_struct*sender=t->from->proc->tsk;
         tr.sender_pid=task_tgid_nr_ns(sender,current->nsproxy->pid_ns);
         }else{
         tr.sender_pid=0;
         }
         
         tr.data_size=t->buffer->data_size;
         tr.offsets_size=t->buffer->offsets_size;
         tr.data.ptr.buffer=(void*)t->buffer->data+proc->user_buffer_offset;
         tr.data.ptr.offsets=tr.data.ptr.buffer+ALIGN(t->buffer->data_size,sizeof(void*));
         
         if(put_user(cmd,(uint32_t__user*)ptr))
         return-EFAULT;
         ptr+=sizeof(uint32_t);
         if(copy_to_user(ptr,&tr,sizeof(tr)))
         return-EFAULT;
         ptr+=sizeof(tr);
         
         ......
         
         list_del(&t->work.entry);
         t->buffer->allow_user_free=1;
         if(cmd==BR_TRANSACTION&&!(t->flags&TF_ONE_WAY)){
         t->to_parent=thread->transaction_stack;
         t->to_thread=thread;
         thread->transaction_stack=t;
         }else{
         t->buffer->transaction=NULL;
         kfree(t);
         binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++;
         }
         break;
         }
         
         done:
         
         ......
         return0;
         }
        
                        static intbinder_thread_read(struct binder_proc *proc, struct binder_thread *thread,   void  __user *buffer, int size, signed long *consumed, int non_block){void __user *ptr = buffer + *consumed;void __user *end = buffer + size;int ret = 0;int wait_for_proc_work;if (*consumed == 0) {if (put_user(BR_NOOP, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);}retry:wait_for_proc_work = thread->transaction_stack == NULL && list_empty(&thread->todo);......if (wait_for_proc_work) {......if (non_block) {if (!binder_has_proc_work(proc, thread))ret = -EAGAIN;} elseret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread));} else {......}......while (1) {uint32_t cmd;struct binder_transaction_data tr;struct binder_work *w;struct binder_transaction *t = NULL;if (!list_empty(&thread->todo))w = list_first_entry(&thread->todo, struct binder_work, entry);else if (!list_empty(&proc->todo) && wait_for_proc_work)w = list_first_entry(&proc->todo, struct binder_work, entry);else {if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */goto retry;break;}if (end - ptr < sizeof(tr) + 4)break;switch (w->type) {case BINDER_WORK_TRANSACTION: {t = container_of(w, struct binder_transaction, work);  } break;......}if (!t)continue;BUG_ON(t->buffer == NULL);if (t->buffer->target_node) {struct binder_node *target_node = t->buffer->target_node;tr.target.ptr = target_node->ptr;tr.cookie =  target_node->cookie;......cmd = BR_TRANSACTION;} else {......}tr.code = t->code;tr.flags = t->flags;tr.sender_euid = t->sender_euid;if (t->from) {struct task_struct *sender = t->from->proc->tsk;tr.sender_pid = task_tgid_nr_ns(sender, current->nsproxy->pid_ns);} else {tr.sender_pid = 0;}tr.data_size = t->buffer->data_size;tr.offsets_size = t->buffer->offsets_size;tr.data.ptr.buffer = (void *)t->buffer->data + proc->user_buffer_offset;tr.data.ptr.offsets = tr.data.ptr.buffer + ALIGN(t->buffer->data_size, sizeof(void *));if (put_user(cmd, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);if (copy_to_user(ptr, &tr, sizeof(tr)))return -EFAULT;ptr += sizeof(tr);......list_del(&t->work.entry);t->buffer->allow_user_free = 1;if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) {t->to_parent = thread->transaction_stack;t->to_thread = thread;thread->transaction_stack = t;} else {t->buffer->transaction = NULL;kfree(t);binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++;}break;}done:    ......return 0;}
   Service Manager被唤醒之后，就进入while循环开始处理事务了。这里wait_for_proc_work等于1，并且proc->todo不为空，所以从proc->todo列表中得到第一个工作项：
                                                                       [cpp] view plain copy print ?                                                      w=list_first_entry(&proc->todo,structbinder_work,entry);
        
                        w = list_first_entry(&proc->todo, struct binder_work, entry);
   从上面的描述中，我们知道，这个工作项的类型为BINDER_WORK_TRANSACTION，于是通过下面语句得到事务项：
                                                                       [cpp] view plain copy print ?                                                      t=container_of(w,structbinder_transaction,work);
        
                        t = container_of(w, struct binder_transaction, work);
   接着就是把事务项t中的数据拷贝到本地局部变量struct binder_transaction_data tr中去了：
                                                                       [cpp] view plain copy print ?                                                      if(t->buffer->target_node){
         structbinder_node*target_node=t->buffer->target_node;
         tr.target.ptr=target_node->ptr;
         tr.cookie=target_node->cookie;
         ......
         cmd=BR_TRANSACTION;
         }else{
         ......
         }
         tr.code=t->code;
         tr.flags=t->flags;
         tr.sender_euid=t->sender_euid;
         
         if(t->from){
         structtask_struct*sender=t->from->proc->tsk;
         tr.sender_pid=task_tgid_nr_ns(sender,current->nsproxy->pid_ns);
         }else{
         tr.sender_pid=0;
         }
         
         tr.data_size=t->buffer->data_size;
         tr.offsets_size=t->buffer->offsets_size;
         tr.data.ptr.buffer=(void*)t->buffer->data+proc->user_buffer_offset;
         tr.data.ptr.offsets=tr.data.ptr.buffer+ALIGN(t->buffer->data_size,sizeof(void*));
        
                        if (t->buffer->target_node) {struct binder_node *target_node = t->buffer->target_node;tr.target.ptr = target_node->ptr;tr.cookie =  target_node->cookie;......cmd = BR_TRANSACTION;} else {......}tr.code = t->code;tr.flags = t->flags;tr.sender_euid = t->sender_euid;if (t->from) {struct task_struct *sender = t->from->proc->tsk;tr.sender_pid = task_tgid_nr_ns(sender, current->nsproxy->pid_ns);} else {tr.sender_pid = 0;}tr.data_size = t->buffer->data_size;tr.offsets_size = t->buffer->offsets_size;tr.data.ptr.buffer = (void *)t->buffer->data + proc->user_buffer_offset;tr.data.ptr.offsets = tr.data.ptr.buffer + ALIGN(t->buffer->data_size, sizeof(void *));
   这里有一个非常重要的地方，是Binder进程间通信机制的精髓所在：
                                                                       [cpp] view plain copy print ?                                                      tr.data.ptr.buffer=(void*)t->buffer->data+proc->user_buffer_offset;
         tr.data.ptr.offsets=tr.data.ptr.buffer+ALIGN(t->buffer->data_size,sizeof(void*));
        
                        tr.data.ptr.buffer = (void *)t->buffer->data + proc->user_buffer_offset;tr.data.ptr.offsets = tr.data.ptr.buffer + ALIGN(t->buffer->data_size, sizeof(void *));
   t->buffer->data所指向的地址是内核空间的，现在要把数据返回给Service Manager进程的用户空间，而Service Manager进程的用户空间是不能访问内核空间的数据的，所以这里要作一下处理。怎么处理呢？我们在学面向对象语言的时候，对象的拷贝有深拷贝和浅拷贝之分，深拷贝是把另外分配一块新内存，然后把原始对象的内容搬过去，浅拷贝是并没有为新对象分配一块新空间，而只是分配一个引用，而个引用指向原始对象。Binder机制用的是类似浅拷贝的方法，通过在用户空间分配一个虚拟地址，然后让这个用户空间虚拟地址与t->buffer->data这个内核空间虚拟地址指向同一个物理地址，这样就可以实现浅拷贝了。怎么样用户空间和内核空间的虚拟地址同时指向同一个物理地址呢？请参考前面一篇文章浅谈Service Manager成为Android进程间通信（IPC）机制Binder守护进程之路，那里有详细描述。这里只要将t->buffer->data加上一个偏移值proc->user_buffer_offset就可以得到t->buffer->data对应的用户空间虚拟地址了。调整了tr.data.ptr.buffer的值之后，不要忘记也要一起调整tr.data.ptr.offsets的值。
   接着就是把tr的内容拷贝到用户传进来的缓冲区去了，指针ptr指向这个用户缓冲区的地址：
                                                                       [cpp] view plain copy print ?                                                      if(put_user(cmd,(uint32_t__user*)ptr))
         return-EFAULT;
         ptr+=sizeof(uint32_t);
         if(copy_to_user(ptr,&tr,sizeof(tr)))
         return-EFAULT;
         ptr+=sizeof(tr);
        
                        if (put_user(cmd, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);if (copy_to_user(ptr, &tr, sizeof(tr)))return -EFAULT;ptr += sizeof(tr);
    这里可以看出，这里只是对作tr.data.ptr.bufferr和tr.data.ptr.offsets的内容作了浅拷贝。
    最后，由于已经处理了这个事务，要把它从todo列表中删除：
                                                                       [cpp] view plain copy print ?                                                      list_del(&t->work.entry);
         t->buffer->allow_user_free=1;
         if(cmd==BR_TRANSACTION&&!(t->flags&TF_ONE_WAY)){
         t->to_parent=thread->transaction_stack;
         t->to_thread=thread;
         thread->transaction_stack=t;
         }else{
         t->buffer->transaction=NULL;
         kfree(t);
         binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++;
         }
        
                        list_del(&t->work.entry);t->buffer->allow_user_free = 1;if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) {t->to_parent = thread->transaction_stack;t->to_thread = thread;thread->transaction_stack = t;} else {t->buffer->transaction = NULL;kfree(t);binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++;}
    注意，这里的cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)为true，表明这个事务虽然在驱动程序中已经处理完了，但是它仍然要等待Service Manager完成之后，给驱动程序一个确认，也就是需要等待回复，于是把当前事务t放在thread->transaction_stack队列的头部：
                                                                       [cpp] view plain copy print ?                                                      t->to_parent=thread->transaction_stack;
         t->to_thread=thread;
         thread->transaction_stack=t;
        
                        t->to_parent = thread->transaction_stack;t->to_thread = thread;thread->transaction_stack = t;
   如果cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)为false，那就不需要等待回复了，直接把事务t删掉。
    这个while最后通过一个break跳了出来，最后返回到binder_ioctl函数中：
                                                                       [cpp] view plain copy print ?                                                      staticlongbinder_ioctl(structfile*filp,unsignedintcmd,unsignedlongarg)
         {
         intret;
         structbinder_proc*proc=filp->private_data;
         structbinder_thread*thread;
         unsignedintsize=_IOC_SIZE(cmd);
         void__user*ubuf=(void__user*)arg;
         
         ......
         
         switch(cmd){
         caseBINDER_WRITE_READ:{
         structbinder_write_readbwr;
         if(size!=sizeof(structbinder_write_read)){
         ret=-EINVAL;
         gotoerr;
         }
         if(copy_from_user(&bwr,ubuf,sizeof(bwr))){
         ret=-EFAULT;
         gotoerr;
         }
         ......
         if(bwr.read_size>0){
         ret=binder_thread_read(proc,thread,(void__user*)bwr.read_buffer,bwr.read_size,&bwr.read_consumed,filp->f_flags&O_NONBLOCK);
         if(!list_empty(&proc->todo))
         wake_up_interruptible(&proc->wait);
         if(ret<0){
         if(copy_to_user(ubuf,&bwr,sizeof(bwr)))
         ret=-EFAULT;
         gotoerr;
         }
         }
         ......
         if(copy_to_user(ubuf,&bwr,sizeof(bwr))){
         ret=-EFAULT;
         gotoerr;
         }
         break;
         }
         ......
         default:
         ret=-EINVAL;
         gotoerr;
         }
         ret=0;
         err:
         ......
         returnret;
         }
        
                        static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg){int ret;struct binder_proc *proc = filp->private_data;struct binder_thread *thread;unsigned int size = _IOC_SIZE(cmd);void __user *ubuf = (void __user *)arg;......switch (cmd) {case BINDER_WRITE_READ: {struct binder_write_read bwr;if (size != sizeof(struct binder_write_read)) {ret = -EINVAL;goto err;}if (copy_from_user(&bwr, ubuf, sizeof(bwr))) {ret = -EFAULT;goto err;}......if (bwr.read_size > 0) {ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK);if (!list_empty(&proc->todo))wake_up_interruptible(&proc->wait);if (ret < 0) {if (copy_to_user(ubuf, &bwr, sizeof(bwr)))ret = -EFAULT;goto err;}}......if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {ret = -EFAULT;goto err;}break;    }......default:ret = -EINVAL;goto err;}ret = 0;err:......return ret;}
    从binder_thread_read返回来后，再看看proc->todo是否还有事务等待处理，如果是，就把睡眠在proc->wait队列的线程唤醒来处理。最后，把本地变量struct binder_write_read bwr的内容拷贝回到用户传进来的缓冲区中，就返回了。
   这里就是返回到frameworks/base/cmds/servicemanager/binder.c文件中的binder_loop函数了：
                                                                       [cpp] view plain copy print ?                                                      voidbinder_loop(structbinder_state*bs,binder_handlerfunc)
         {
         intres;
         structbinder_write_readbwr;
         unsignedreadbuf[32];
         
         bwr.write_size=0;
         bwr.write_consumed=0;
         bwr.write_buffer=0;
         
         readbuf[0]=BC_ENTER_LOOPER;
         binder_write(bs,readbuf,sizeof(unsigned));
         
         for(;;){
         bwr.read_size=sizeof(readbuf);
         bwr.read_consumed=0;
         bwr.read_buffer=(unsigned)readbuf;
         
         res=ioctl(bs->fd,BINDER_WRITE_READ,&bwr);
         
         if(res<0){
         LOGE("binder_loop:ioctlfailed(%s)\n",strerror(errno));
         break;
         }
         
         res=binder_parse(bs,0,readbuf,bwr.read_consumed,func);
         if(res==0){
         LOGE("binder_loop:unexpectedreply?!\n");
         break;
         }
         if(res<0){
         LOGE("binder_loop:ioerror%d%s\n",res,strerror(errno));
         break;
         }
         }
         }
        
                        void binder_loop(struct binder_state *bs, binder_handler func){    int res;    struct binder_write_read bwr;    unsigned readbuf[32];    bwr.write_size = 0;    bwr.write_consumed = 0;    bwr.write_buffer = 0;        readbuf[0] = BC_ENTER_LOOPER;    binder_write(bs, readbuf, sizeof(unsigned));    for (;;) {        bwr.read_size = sizeof(readbuf);        bwr.read_consumed = 0;        bwr.read_buffer = (unsigned) readbuf;        res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);        if (res < 0) {            LOGE("binder_loop: ioctl failed (%s)\n", strerror(errno));            break;        }        res = binder_parse(bs, 0, readbuf, bwr.read_consumed, func);        if (res == 0) {            LOGE("binder_loop: unexpected reply?!\n");            break;        }        if (res < 0) {            LOGE("binder_loop: io error %d %s\n", res, strerror(errno));            break;        }    }}
   返回来的数据都放在readbuf中，接着调用binder_parse进行解析：
                                                                       [cpp] view plain copy print ?                                                      intbinder_parse(structbinder_state*bs,structbinder_io*bio,
         uint32_t*ptr,uint32_tsize,binder_handlerfunc)
         {
         intr=1;
         uint32_t*end=ptr+(size/4);
         
         while(ptr<end){
         uint32_tcmd=*ptr++;
         ......
         caseBR_TRANSACTION:{
         structbinder_txn*txn=(void*)ptr;
         if((end-ptr)*sizeof(uint32_t)<sizeof(structbinder_txn)){
         LOGE("parse:txntoosmall!\n");
         return-1;
         }
         binder_dump_txn(txn);
         if(func){
         unsignedrdata[256/4];
         structbinder_iomsg;
         structbinder_ioreply;
         intres;
         
         bio_init(&reply,rdata,sizeof(rdata),4);
         bio_init_from_txn(&msg,txn);
         res=func(bs,txn,&msg,&reply);
         binder_send_reply(bs,&reply,txn->data,res);
         }
         ptr+=sizeof(*txn)/sizeof(uint32_t);
         break;
         }
         ......
         default:
         LOGE("parse:OOPS%d\n",cmd);
         return-1;
         }
         }
         
         returnr;
         }
        
                        int binder_parse(struct binder_state *bs, struct binder_io *bio, uint32_t *ptr, uint32_t size, binder_handler func){int r = 1;uint32_t *end = ptr + (size / 4);while (ptr < end) {uint32_t cmd = *ptr++;        ......case BR_TRANSACTION: {struct binder_txn *txn = (void *) ptr;if ((end - ptr) * sizeof(uint32_t) < sizeof(struct binder_txn)) {LOGE("parse: txn too small!\n");return -1;}binder_dump_txn(txn);if (func) {unsigned rdata[256/4];struct binder_io msg;struct binder_io reply;int res;bio_init(&reply, rdata, sizeof(rdata), 4);bio_init_from_txn(&msg, txn);res = func(bs, txn, &msg, &reply);binder_send_reply(bs, &reply, txn->data, res);}ptr += sizeof(*txn) / sizeof(uint32_t);break; }......default:LOGE("parse: OOPS %d\n", cmd);return -1;}}return r;}
   首先把从Binder驱动程序读出来的数据转换为一个struct binder_txn结构体，保存在txn本地变量中，struct binder_txn定义在frameworks/base/cmds/servicemanager/binder.h文件中：
                                                                       [cpp] view plain copy print ?                                                      structbinder_txn
         {
         void*target;
         void*cookie;
         uint32_tcode;
         uint32_tflags;
         
         uint32_tsender_pid;
         uint32_tsender_euid;
         
         uint32_tdata_size;
         uint32_toffs_size;
         void*data;
         void*offs;
         };
        
                        struct binder_txn{    void *target;    void *cookie;    uint32_t code;    uint32_t flags;    uint32_t sender_pid;    uint32_t sender_euid;    uint32_t data_size;    uint32_t offs_size;    void *data;    void *offs;};
   函数中还用到了另外一个数据结构struct binder_io，也是定义在frameworks/base/cmds/servicemanager/binder.h文件中：
                                                                       [cpp] view plain copy print ?                                                      structbinder_io
         {
         char*data;/*pointertoread/writefrom*/
         uint32_t*offs;/*arrayofoffsets*/
         uint32_tdata_avail;/*bytesavailableindatabuffer*/
         uint32_toffs_avail;/*entriesavailableinoffsetsarray*/
         
         char*data0;/*startofdatabuffer*/
         uint32_t*offs0;/*startofoffsetsbuffer*/
         uint32_tflags;
         uint32_tunused;
         };
        
                        struct binder_io{    char *data;            /* pointer to read/write from */    uint32_t *offs;        /* array of offsets */    uint32_t data_avail;   /* bytes available in data buffer */    uint32_t offs_avail;   /* entries available in offsets array */    char *data0;           /* start of data buffer */    uint32_t *offs0;       /* start of offsets buffer */    uint32_t flags;    uint32_t unused;};
   接着往下看，函数调bio_init来初始化reply变量：
                                                                       [cpp] view plain copy print ?                                                      voidbio_init(structbinder_io*bio,void*data,
         uint32_tmaxdata,uint32_tmaxoffs)
         {
         uint32_tn=maxoffs*sizeof(uint32_t);
         
         if(n>maxdata){
         bio->flags=BIO_F_OVERFLOW;
         bio->data_avail=0;
         bio->offs_avail=0;
         return;
         }
         
         bio->data=bio->data0=data+n;
         bio->offs=bio->offs0=data;
         bio->data_avail=maxdata-n;
         bio->offs_avail=maxoffs;
         bio->flags=0;
         }
        
                        void bio_init(struct binder_io *bio, void *data,              uint32_t maxdata, uint32_t maxoffs){    uint32_t n = maxoffs * sizeof(uint32_t);    if (n > maxdata) {        bio->flags = BIO_F_OVERFLOW;        bio->data_avail = 0;        bio->offs_avail = 0;        return;    }    bio->data = bio->data0 = data + n;    bio->offs = bio->offs0 = data;    bio->data_avail = maxdata - n;    bio->offs_avail = maxoffs;    bio->flags = 0;}
   接着又调用bio_init_from_txn来初始化msg变量：
                                                                       [cpp] view plain copy print ?                                                      voidbio_init_from_txn(structbinder_io*bio,structbinder_txn*txn)
         {
         bio->data=bio->data0=txn->data;
         bio->offs=bio->offs0=txn->offs;
         bio->data_avail=txn->data_size;
         bio->offs_avail=txn->offs_size/4;
         bio->flags=BIO_F_SHARED;
         }
        
                        void bio_init_from_txn(struct binder_io *bio, struct binder_txn *txn){    bio->data = bio->data0 = txn->data;    bio->offs = bio->offs0 = txn->offs;    bio->data_avail = txn->data_size;    bio->offs_avail = txn->offs_size / 4;    bio->flags = BIO_F_SHARED;}
  最后，真正进行处理的函数是从参数中传进来的函数指针func，这里就是定义在frameworks/base/cmds/servicemanager/service_manager.c文件中的svcmgr_handler函数：
                                                                       [cpp] view plain copy print ?                                                      intsvcmgr_handler(structbinder_state*bs,
         structbinder_txn*txn,
         structbinder_io*msg,
         structbinder_io*reply)
         {
         structsvcinfo*si;
         uint16_t*s;
         unsignedlen;
         void*ptr;
         uint32_tstrict_policy;
         
         if(txn->target!=svcmgr_handle)
         return-1;
         
         //EquivalenttoParcel::enforceInterface(),readingtheRPC
         //headerwiththestrictmodepolicymaskandtheinterfacename.
         //Notethatweignorethestrict_policyanddon'tpropagateit
         //further(sincewedonooutboundRPCsanyway).
         strict_policy=bio_get_uint32(msg);
         s=bio_get_string16(msg,&len);
         if((len!=(sizeof(svcmgr_id)/2))||
         memcmp(svcmgr_id,s,sizeof(svcmgr_id))){
         fprintf(stderr,"invalidid%s\n",str8(s));
         return-1;
         }
         
         switch(txn->code){
         ......
         caseSVC_MGR_ADD_SERVICE:
         s=bio_get_string16(msg,&len);
         ptr=bio_get_ref(msg);
         if(do_add_service(bs,s,len,ptr,txn->sender_euid))
         return-1;
         break;
         ......
         }
         
         bio_put_uint32(reply,0);
         return0;
         }
        
                        int svcmgr_handler(struct binder_state *bs,   struct binder_txn *txn,   struct binder_io *msg,   struct binder_io *reply){struct svcinfo *si;uint16_t *s;unsigned len;void *ptr;uint32_t strict_policy;if (txn->target != svcmgr_handle)return -1;// Equivalent to Parcel::enforceInterface(), reading the RPC// header with the strict mode policy mask and the interface name.// Note that we ignore the strict_policy and don't propagate it// further (since we do no outbound RPCs anyway).strict_policy = bio_get_uint32(msg);s = bio_get_string16(msg, &len);if ((len != (sizeof(svcmgr_id) / 2)) ||memcmp(svcmgr_id, s, sizeof(svcmgr_id))) {fprintf(stderr,"invalid id %s\n", str8(s));return -1;}switch(txn->code) {......case SVC_MGR_ADD_SERVICE:s = bio_get_string16(msg, &len);ptr = bio_get_ref(msg);if (do_add_service(bs, s, len, ptr, txn->sender_euid))return -1;break;......}bio_put_uint32(reply, 0);return 0;}
    回忆一下，在BpServiceManager::addService时，传给Binder驱动程序的参数为：
 
                                                                       [cpp] view plain copy print ?                                                      writeInt32(IPCThreadState::self()->getStrictModePolicy()|STRICT_MODE_PENALTY_GATHER);
         writeString16("android.os.IServiceManager");
         writeString16("media.player");
         writeStrongBinder(newMediaPlayerService());
        
                        writeInt32(IPCThreadState::self()->getStrictModePolicy() | STRICT_MODE_PENALTY_GATHER);writeString16("android.os.IServiceManager");writeString16("media.player");writeStrongBinder(new MediaPlayerService());
    这里的语句：
                                                                       [cpp] view plain copy print ?                                                      strict_policy=bio_get_uint32(msg);
         s=bio_get_string16(msg,&len);
         s=bio_get_string16(msg,&len);
         ptr=bio_get_ref(msg);
        
                        strict_policy = bio_get_uint32(msg);s = bio_get_string16(msg, &len);s = bio_get_string16(msg, &len);ptr = bio_get_ref(msg);
    就是依次把它们读取出来了，这里，我们只要看一下bio_get_ref的实现。先看一个数据结构struct binder_obj的定义：
                                                                       [cpp] view plain copy print ?                                                      structbinder_object
         {
         uint32_ttype;
         uint32_tflags;
         void*pointer;
         void*cookie;
         };
        
                        struct binder_object{    uint32_t type;    uint32_t flags;    void *pointer;    void *cookie;};
   这个结构体其实就是对应struct flat_binder_obj的。
   接着看bio_get_ref实现：
                                                                       [cpp] view plain copy print ?                                                      void*bio_get_ref(structbinder_io*bio)
         {
         structbinder_object*obj;
         
         obj=_bio_get_obj(bio);
         if(!obj)
         return0;
         
         if(obj->type==BINDER_TYPE_HANDLE)
         returnobj->pointer;
         
         return0;
         }
        
                        void *bio_get_ref(struct binder_io *bio){    struct binder_object *obj;    obj = _bio_get_obj(bio);    if (!obj)        return 0;    if (obj->type == BINDER_TYPE_HANDLE)        return obj->pointer;    return 0;}
   _bio_get_obj这个函数就不跟进去看了，它的作用就是从binder_io中取得第一个还没取获取过的binder_object。在这个场景下，就是我们最开始传过来代表MediaPlayerService的flat_binder_obj了，这个原始的flat_binder_obj的type为BINDER_TYPE_BINDER，binder为指向MediaPlayerService的弱引用的地址。在前面我们说过，在Binder驱动驱动程序里面，会把这个flat_binder_obj的type改为BINDER_TYPE_HANDLE，handle改为一个句柄值。这里的handle值就等于obj->pointer的值。
   回到svcmgr_handler函数，调用do_add_service进一步处理：
                                                                       [cpp] view plain copy print ?                                                      intdo_add_service(structbinder_state*bs,
         uint16_t*s,unsignedlen,
         void*ptr,unsigneduid)
         {
         structsvcinfo*si;
         //LOGI("add_service('%s',%p)uid=%d\n",str8(s),ptr,uid);
         
         if(!ptr||(len==0)||(len>127))
         return-1;
         
         if(!svc_can_register(uid,s)){
         LOGE("add_service('%s',%p)uid=%d-PERMISSIONDENIED\n",
         str8(s),ptr,uid);
         return-1;
         }
         
         si=find_svc(s,len);
         if(si){
         if(si->ptr){
         LOGE("add_service('%s',%p)uid=%d-ALREADYREGISTERED\n",
         str8(s),ptr,uid);
         return-1;
         }
         si->ptr=ptr;
         }else{
         si=malloc(sizeof(*si)+(len+1)*sizeof(uint16_t));
         if(!si){
         LOGE("add_service('%s',%p)uid=%d-OUTOFMEMORY\n",
         str8(s),ptr,uid);
         return-1;
         }
         si->ptr=ptr;
         si->len=len;
         memcpy(si->name,s,(len+1)*sizeof(uint16_t));
         si->name[len]='\0';
         si->death.func=svcinfo_death;
         si->death.ptr=si;
         si->next=svclist;
         svclist=si;
         }
         
         binder_acquire(bs,ptr);
         binder_link_to_death(bs,ptr,&si->death);
         return0;
         }
        
                        int do_add_service(struct binder_state *bs,                   uint16_t *s, unsigned len,                   void *ptr, unsigned uid){    struct svcinfo *si;//    LOGI("add_service('%s',%p) uid=%d\n", str8(s), ptr, uid);    if (!ptr || (len == 0) || (len > 127))        return -1;    if (!svc_can_register(uid, s)) {        LOGE("add_service('%s',%p) uid=%d - PERMISSION DENIED\n",             str8(s), ptr, uid);        return -1;    }    si = find_svc(s, len);    if (si) {        if (si->ptr) {            LOGE("add_service('%s',%p) uid=%d - ALREADY REGISTERED\n",                 str8(s), ptr, uid);            return -1;        }        si->ptr = ptr;    } else {        si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t));        if (!si) {            LOGE("add_service('%s',%p) uid=%d - OUT OF MEMORY\n",                 str8(s), ptr, uid);            return -1;        }        si->ptr = ptr;        si->len = len;        memcpy(si->name, s, (len + 1) * sizeof(uint16_t));        si->name[len] = '\0';        si->death.func = svcinfo_death;        si->death.ptr = si;        si->next = svclist;        svclist = si;    }    binder_acquire(bs, ptr);    binder_link_to_death(bs, ptr, &si->death);    return 0;}
   这个函数的实现很简单，就是把MediaPlayerService这个Binder实体的引用写到一个struct svcinfo结构体中，主要是它的名称和句柄值，然后插入到链接svclist的头部去。这样，Client来向Service Manager查询服务接口时，只要给定服务名称，Service Manger就可以返回相应的句柄值了。
   这个函数执行完成后，返回到svcmgr_handler函数，函数的最后，将一个错误码0写到reply变量中去，表示一切正常：
                                                                       [cpp] view plain copy print ?                                                      bio_put_uint32(reply,0);
        
                        bio_put_uint32(reply, 0);
   svcmgr_handler函数执行完成后，返回到binder_parse函数，执行下面语句：
                                                                       [cpp] view plain copy print ?                                                      binder_send_reply(bs,&reply,txn->data,res);
        
                        binder_send_reply(bs, &reply, txn->data, res);
   我们看一下binder_send_reply的实现，从函数名就可以猜到它要做什么了，告诉Binder驱动程序，它完成了Binder驱动程序交给它的任务了。
                                                                       [cpp] view plain copy print ?                                                      voidbinder_send_reply(structbinder_state*bs,
         structbinder_io*reply,
         void*buffer_to_free,
         intstatus)
         {
         struct{
         uint32_tcmd_free;
         void*buffer;
         uint32_tcmd_reply;
         structbinder_txntxn;
         }__attribute__((packed))data;
         
         data.cmd_free=BC_FREE_BUFFER;
         data.buffer=buffer_to_free;
         data.cmd_reply=BC_REPLY;
         data.txn.target=0;
         data.txn.cookie=0;
         data.txn.code=0;
         if(status){
         data.txn.flags=TF_STATUS_CODE;
         data.txn.data_size=sizeof(int);
         data.txn.offs_size=0;
         data.txn.data=&status;
         data.txn.offs=0;
         }else{
         data.txn.flags=0;
         data.txn.data_size=reply->data-reply->data0;
         data.txn.offs_size=((char*)reply->offs)-((char*)reply->offs0);
         data.txn.data=reply->data0;
         data.txn.offs=reply->offs0;
         }
         binder_write(bs,&data,sizeof(data));
         }
        
                        void binder_send_reply(struct binder_state *bs,                       struct binder_io *reply,                       void *buffer_to_free,                       int status){    struct {        uint32_t cmd_free;        void *buffer;        uint32_t cmd_reply;        struct binder_txn txn;    } __attribute__((packed)) data;    data.cmd_free = BC_FREE_BUFFER;    data.buffer = buffer_to_free;    data.cmd_reply = BC_REPLY;    data.txn.target = 0;    data.txn.cookie = 0;    data.txn.code = 0;    if (status) {        data.txn.flags = TF_STATUS_CODE;        data.txn.data_size = sizeof(int);        data.txn.offs_size = 0;        data.txn.data = &status;        data.txn.offs = 0;    } else {        data.txn.flags = 0;        data.txn.data_size = reply->data - reply->data0;        data.txn.offs_size = ((char*) reply->offs) - ((char*) reply->offs0);        data.txn.data = reply->data0;        data.txn.offs = reply->offs0;    }    binder_write(bs, &data, sizeof(data));}
   从这里可以看出，binder_send_reply告诉Binder驱动程序执行BC_FREE_BUFFER和BC_REPLY命令，前者释放之前在binder_transaction分配的空间，地址为buffer_to_free，buffer_to_free这个地址是Binder驱动程序把自己在内核空间用的地址转换成用户空间地址再传给Service Manager的，所以Binder驱动程序拿到这个地址后，知道怎么样释放这个空间；后者告诉MediaPlayerService，它的addService操作已经完成了，错误码是0，保存在data.txn.data中。
   再来看binder_write函数：
                                                                       [cpp] view plain copy print ?                                                      intbinder_write(structbinder_state*bs,void*data,unsignedlen)
         {
         structbinder_write_readbwr;
         intres;
         bwr.write_size=len;
         bwr.write_consumed=0;
         bwr.write_buffer=(unsigned)data;
         bwr.read_size=0;
         bwr.read_consumed=0;
         bwr.read_buffer=0;
         res=ioctl(bs->fd,BINDER_WRITE_READ,&bwr);
         if(res<0){
         fprintf(stderr,"binder_write:ioctlfailed(%s)\n",
         strerror(errno));
         }
         returnres;
         }
        
                        int binder_write(struct binder_state *bs, void *data, unsigned len){    struct binder_write_read bwr;    int res;    bwr.write_size = len;    bwr.write_consumed = 0;    bwr.write_buffer = (unsigned) data;    bwr.read_size = 0;    bwr.read_consumed = 0;    bwr.read_buffer = 0;    res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);    if (res < 0) {        fprintf(stderr,"binder_write: ioctl failed (%s)\n",                strerror(errno));    }    return res;}
   这里可以看出，只有写操作，没有读操作，即read_size为0。
   这里又是一个ioctl的BINDER_WRITE_READ操作。直入到驱动程序的binder_ioctl函数后，执行BINDER_WRITE_READ命令，这里就不累述了。
   最后，从binder_ioctl执行到binder_thread_write函数，我们首先看第一个命令BC_FREE_BUFFER：
                                                                       [cpp] view plain copy print ?                                                      int
         binder_thread_write(structbinder_proc*proc,structbinder_thread*thread,
         void__user*buffer,intsize,signedlong*consumed)
         {
         uint32_tcmd;
         void__user*ptr=buffer+*consumed;
         void__user*end=buffer+size;
         
         while(ptr<end&&thread->return_error==BR_OK){
         if(get_user(cmd,(uint32_t__user*)ptr))
         return-EFAULT;
         ptr+=sizeof(uint32_t);
         if(_IOC_NR(cmd)<ARRAY_SIZE(binder_stats.bc)){
         binder_stats.bc[_IOC_NR(cmd)]++;
         proc->stats.bc[_IOC_NR(cmd)]++;
         thread->stats.bc[_IOC_NR(cmd)]++;
         }
         switch(cmd){
         ......
         caseBC_FREE_BUFFER:{
         void__user*data_ptr;
         structbinder_buffer*buffer;
         
         if(get_user(data_ptr,(void*__user*)ptr))
         return-EFAULT;
         ptr+=sizeof(void*);
         
         buffer=binder_buffer_lookup(proc,data_ptr);
         if(buffer==NULL){
         binder_user_error("binder:%d:%d"
         "BC_FREE_BUFFERu%pnomatch\n",
         proc->pid,thread->pid,data_ptr);
         break;
         }
         if(!buffer->allow_user_free){
         binder_user_error("binder:%d:%d"
         "BC_FREE_BUFFERu%pmatched"
         "unreturnedbuffer\n",
         proc->pid,thread->pid,data_ptr);
         break;
         }
         if(binder_debug_mask&BINDER_DEBUG_FREE_BUFFER)
         printk(KERN_INFO"binder:%d:%dBC_FREE_BUFFERu%pfoundbuffer%dfor%stransaction\n",
         proc->pid,thread->pid,data_ptr,buffer->debug_id,
         buffer->transaction?"active":"finished");
         
         if(buffer->transaction){
         buffer->transaction->buffer=NULL;
         buffer->transaction=NULL;
         }
         if(buffer->async_transaction&&buffer->target_node){
         BUG_ON(!buffer->target_node->has_async_transaction);
         if(list_empty(&buffer->target_node->async_todo))
         buffer->target_node->has_async_transaction=0;
         else
         list_move_tail(buffer->target_node->async_todo.next,&thread->todo);
         }
         binder_transaction_buffer_release(proc,buffer,NULL);
         binder_free_buf(proc,buffer);
         break;
         }
         
         ......
         *consumed=ptr-buffer;
         }
         return0;
         }
        
                        intbinder_thread_write(struct binder_proc *proc, struct binder_thread *thread,void __user *buffer, int size, signed long *consumed){uint32_t cmd;void __user *ptr = buffer + *consumed;void __user *end = buffer + size;while (ptr < end && thread->return_error == BR_OK) {if (get_user(cmd, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) {binder_stats.bc[_IOC_NR(cmd)]++;proc->stats.bc[_IOC_NR(cmd)]++;thread->stats.bc[_IOC_NR(cmd)]++;}switch (cmd) {......case BC_FREE_BUFFER: {void __user *data_ptr;struct binder_buffer *buffer;if (get_user(data_ptr, (void * __user *)ptr))return -EFAULT;ptr += sizeof(void *);buffer = binder_buffer_lookup(proc, data_ptr);if (buffer == NULL) {binder_user_error("binder: %d:%d ""BC_FREE_BUFFER u%p no match\n",proc->pid, thread->pid, data_ptr);break;}if (!buffer->allow_user_free) {binder_user_error("binder: %d:%d ""BC_FREE_BUFFER u%p matched ""unreturned buffer\n",proc->pid, thread->pid, data_ptr);break;}if (binder_debug_mask & BINDER_DEBUG_FREE_BUFFER)printk(KERN_INFO "binder: %d:%d BC_FREE_BUFFER u%p found buffer %d for %s transaction\n",proc->pid, thread->pid, data_ptr, buffer->debug_id,buffer->transaction ? "active" : "finished");if (buffer->transaction) {buffer->transaction->buffer = NULL;buffer->transaction = NULL;}if (buffer->async_transaction && buffer->target_node) {BUG_ON(!buffer->target_node->has_async_transaction);if (list_empty(&buffer->target_node->async_todo))buffer->target_node->has_async_transaction = 0;elselist_move_tail(buffer->target_node->async_todo.next, &thread->todo);}binder_transaction_buffer_release(proc, buffer, NULL);binder_free_buf(proc, buffer);break; }......*consumed = ptr - buffer;}return 0;}
   首先通过看这个语句：                                                                       [cpp] view plain copy print ?                                                      get_user(data_ptr,(void*__user*)ptr)
        
                        get_user(data_ptr, (void * __user *)ptr)
   这个是获得要删除的Buffer的用户空间地址，接着通过下面这个语句来找到这个地址对应的struct binder_buffer信息：
                                                                       [cpp] view plain copy print ?                                                      buffer=binder_buffer_lookup(proc,data_ptr);
        
                        buffer = binder_buffer_lookup(proc, data_ptr);
   因为这个空间是前面在binder_transaction里面分配的，所以这里一定能找到。
   最后，就可以释放这块内存了：
                                                                       [cpp] view plain copy print ?                                                      binder_transaction_buffer_release(proc,buffer,NULL);
         binder_free_buf(proc,buffer);
        
                        binder_transaction_buffer_release(proc, buffer, NULL);binder_free_buf(proc, buffer);
   再来看另外一个命令BC_REPLY：
                                                                       [cpp] view plain copy print ?                                                      int
         binder_thread_write(structbinder_proc*proc,structbinder_thread*thread,
         void__user*buffer,intsize,signedlong*consumed)
         {
         uint32_tcmd;
         void__user*ptr=buffer+*consumed;
         void__user*end=buffer+size;
         
         while(ptr<end&&thread->return_error==BR_OK){
         if(get_user(cmd,(uint32_t__user*)ptr))
         return-EFAULT;
         ptr+=sizeof(uint32_t);
         if(_IOC_NR(cmd)<ARRAY_SIZE(binder_stats.bc)){
         binder_stats.bc[_IOC_NR(cmd)]++;
         proc->stats.bc[_IOC_NR(cmd)]++;
         thread->stats.bc[_IOC_NR(cmd)]++;
         }
         switch(cmd){
         ......
         caseBC_TRANSACTION:
         caseBC_REPLY:{
         structbinder_transaction_datatr;
         
         if(copy_from_user(&tr,ptr,sizeof(tr)))
         return-EFAULT;
         ptr+=sizeof(tr);
         binder_transaction(proc,thread,&tr,cmd==BC_REPLY);
         break;
         }
         
         ......
         *consumed=ptr-buffer;
         }
         return0;
         }
        
                        intbinder_thread_write(struct binder_proc *proc, struct binder_thread *thread,void __user *buffer, int size, signed long *consumed){uint32_t cmd;void __user *ptr = buffer + *consumed;void __user *end = buffer + size;while (ptr < end && thread->return_error == BR_OK) {if (get_user(cmd, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) {binder_stats.bc[_IOC_NR(cmd)]++;proc->stats.bc[_IOC_NR(cmd)]++;thread->stats.bc[_IOC_NR(cmd)]++;}switch (cmd) {......case BC_TRANSACTION:case BC_REPLY: {struct binder_transaction_data tr;if (copy_from_user(&tr, ptr, sizeof(tr)))return -EFAULT;ptr += sizeof(tr);binder_transaction(proc, thread, &tr, cmd == BC_REPLY);break;   }......*consumed = ptr - buffer;}return 0;}
   又再次进入到binder_transaction函数：
                                                                       [cpp] view plain copy print ?                                                      staticvoid
         binder_transaction(structbinder_proc*proc,structbinder_thread*thread,
         structbinder_transaction_data*tr,intreply)
         {
         structbinder_transaction*t;
         structbinder_work*tcomplete;
         size_t*offp,*off_end;
         structbinder_proc*target_proc;
         structbinder_thread*target_thread=NULL;
         structbinder_node*target_node=NULL;
         structlist_head*target_list;
         wait_queue_head_t*target_wait;
         structbinder_transaction*in_reply_to=NULL;
         structbinder_transaction_log_entry*e;
         uint32_treturn_error;
         
         ......
         
         if(reply){
         in_reply_to=thread->transaction_stack;
         if(in_reply_to==NULL){
         ......
         return_error=BR_FAILED_REPLY;
         gotoerr_empty_call_stack;
         }
         binder_set_nice(in_reply_to->saved_priority);
         if(in_reply_to->to_thread!=thread){
         .......
         gotoerr_bad_call_stack;
         }
         thread->transaction_stack=in_reply_to->to_parent;
         target_thread=in_reply_to->from;
         if(target_thread==NULL){
         return_error=BR_DEAD_REPLY;
         gotoerr_dead_binder;
         }
         if(target_thread->transaction_stack!=in_reply_to){
         ......
         return_error=BR_FAILED_REPLY;
         in_reply_to=NULL;
         target_thread=NULL;
         gotoerr_dead_binder;
         }
         target_proc=target_thread->proc;
         }else{
         ......
         }
         if(target_thread){
         e->to_thread=target_thread->pid;
         target_list=&target_thread->todo;
         target_wait=&target_thread->wait;
         }else{
         ......
         }
         
         
         /*TODO:reuseincomingtransactionforreply*/
         t=kzalloc(sizeof(*t),GFP_KERNEL);
         if(t==NULL){
         return_error=BR_FAILED_REPLY;
         gotoerr_alloc_t_failed;
         }
         
         
         tcomplete=kzalloc(sizeof(*tcomplete),GFP_KERNEL);
         if(tcomplete==NULL){
         return_error=BR_FAILED_REPLY;
         gotoerr_alloc_tcomplete_failed;
         }
         
         if(!reply&&!(tr->flags&TF_ONE_WAY))
         t->from=thread;
         else
         t->from=NULL;
         t->sender_euid=proc->tsk->cred->euid;
         t->to_proc=target_proc;
         t->to_thread=target_thread;
         t->code=tr->code;
         t->flags=tr->flags;
         t->priority=task_nice(current);
         t->buffer=binder_alloc_buf(target_proc,tr->data_size,
         tr->offsets_size,!reply&&(t->flags&TF_ONE_WAY));
         if(t->buffer==NULL){
         return_error=BR_FAILED_REPLY;
         gotoerr_binder_alloc_buf_failed;
         }
         t->buffer->allow_user_free=0;
         t->buffer->debug_id=t->debug_id;
         t->buffer->transaction=t;
         t->buffer->target_node=target_node;
         if(target_node)
         binder_inc_node(target_node,1,0,NULL);
         
         offp=(size_t*)(t->buffer->data+ALIGN(tr->data_size,sizeof(void*)));
         
         if(copy_from_user(t->buffer->data,tr->data.ptr.buffer,tr->data_size)){
         binder_user_error("binder:%d:%dgottransactionwithinvalid"
         "dataptr\n",proc->pid,thread->pid);
         return_error=BR_FAILED_REPLY;
         gotoerr_copy_data_failed;
         }
         if(copy_from_user(offp,tr->data.ptr.offsets,tr->offsets_size)){
         binder_user_error("binder:%d:%dgottransactionwithinvalid"
         "offsetsptr\n",proc->pid,thread->pid);
         return_error=BR_FAILED_REPLY;
         gotoerr_copy_data_failed;
         }
         
         ......
         
         if(reply){
         BUG_ON(t->buffer->async_transaction!=0);
         binder_pop_transaction(target_thread,in_reply_to);
         }elseif(!(t->flags&TF_ONE_WAY)){
         ......
         }else{
         ......
         }
         t->work.type=BINDER_WORK_TRANSACTION;
         list_add_tail(&t->work.entry,target_list);
         tcomplete->type=BINDER_WORK_TRANSACTION_COMPLETE;
         list_add_tail(&tcomplete->entry,&thread->todo);
         if(target_wait)
         wake_up_interruptible(target_wait);
         return;
         ......
         }
        
                        static voidbinder_transaction(struct binder_proc *proc, struct binder_thread *thread,struct binder_transaction_data *tr, int reply){struct binder_transaction *t;struct binder_work *tcomplete;size_t *offp, *off_end;struct binder_proc *target_proc;struct binder_thread *target_thread = NULL;struct binder_node *target_node = NULL;struct list_head *target_list;wait_queue_head_t *target_wait;struct binder_transaction *in_reply_to = NULL;struct binder_transaction_log_entry *e;uint32_t return_error;......if (reply) {in_reply_to = thread->transaction_stack;if (in_reply_to == NULL) {......return_error = BR_FAILED_REPLY;goto err_empty_call_stack;}binder_set_nice(in_reply_to->saved_priority);if (in_reply_to->to_thread != thread) {.......goto err_bad_call_stack;}thread->transaction_stack = in_reply_to->to_parent;target_thread = in_reply_to->from;if (target_thread == NULL) {return_error = BR_DEAD_REPLY;goto err_dead_binder;}if (target_thread->transaction_stack != in_reply_to) {......return_error = BR_FAILED_REPLY;in_reply_to = NULL;target_thread = NULL;goto err_dead_binder;}target_proc = target_thread->proc;} else {......}if (target_thread) {e->to_thread = target_thread->pid;target_list = &target_thread->todo;target_wait = &target_thread->wait;} else {......}/* TODO: reuse incoming transaction for reply */t = kzalloc(sizeof(*t), GFP_KERNEL);if (t == NULL) {return_error = BR_FAILED_REPLY;goto err_alloc_t_failed;}tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);if (tcomplete == NULL) {return_error = BR_FAILED_REPLY;goto err_alloc_tcomplete_failed;}if (!reply && !(tr->flags & TF_ONE_WAY))t->from = thread;elset->from = NULL;t->sender_euid = proc->tsk->cred->euid;t->to_proc = target_proc;t->to_thread = target_thread;t->code = tr->code;t->flags = tr->flags;t->priority = task_nice(current);t->buffer = binder_alloc_buf(target_proc, tr->data_size,tr->offsets_size, !reply && (t->flags & TF_ONE_WAY));if (t->buffer == NULL) {return_error = BR_FAILED_REPLY;goto err_binder_alloc_buf_failed;}t->buffer->allow_user_free = 0;t->buffer->debug_id = t->debug_id;t->buffer->transaction = t;t->buffer->target_node = target_node;if (target_node)binder_inc_node(target_node, 1, 0, NULL);offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *)));if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) {binder_user_error("binder: %d:%d got transaction with invalid ""data ptr\n", proc->pid, thread->pid);return_error = BR_FAILED_REPLY;goto err_copy_data_failed;}if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) {binder_user_error("binder: %d:%d got transaction with invalid ""offsets ptr\n", proc->pid, thread->pid);return_error = BR_FAILED_REPLY;goto err_copy_data_failed;}    ......if (reply) {BUG_ON(t->buffer->async_transaction != 0);binder_pop_transaction(target_thread, in_reply_to);} else if (!(t->flags & TF_ONE_WAY)) {......} else {......}t->work.type = BINDER_WORK_TRANSACTION;list_add_tail(&t->work.entry, target_list);tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;list_add_tail(&tcomplete->entry, &thread->todo);if (target_wait)wake_up_interruptible(target_wait);return;    ......}
   注意，这里的reply为1，我们忽略掉其它无关代码。
   前面Service Manager正在binder_thread_read函数中被MediaPlayerService启动后进程唤醒后，在最后会把当前处理完的事务放在thread->transaction_stack中：
                                                                       [cpp] view plain copy print ?                                                      if(cmd==BR_TRANSACTION&&!(t->flags&TF_ONE_WAY)){
         t->to_parent=thread->transaction_stack;
         t->to_thread=thread;
         thread->transaction_stack=t;
         }
        
                        if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) {t->to_parent = thread->transaction_stack;t->to_thread = thread;thread->transaction_stack = t;} 
   所以，这里，首先是把它这个binder_transaction取回来，并且放在本地变量in_reply_to中：
                                                                       [cpp] view plain copy print ?                                                      in_reply_to=thread->transaction_stack;
        
                        in_reply_to = thread->transaction_stack;
   接着就可以通过in_reply_to得到最终发出这个事务请求的线程和进程：
                                                                       [cpp] view plain copy print ?                                                      target_thread=in_reply_to->from;
         target_proc=target_thread->proc;
        
                        target_thread = in_reply_to->from;target_proc = target_thread->proc;
   然后得到target_list和target_wait：
                                                                       [cpp] view plain copy print ?                                                      target_list=&target_thread->todo;
         target_wait=&target_thread->wait;
        
                        target_list = &target_thread->todo;target_wait = &target_thread->wait;
   下面这一段代码：
                                                                       [cpp] view plain copy print ?                                                      /*TODO:reuseincomingtransactionforreply*/
         t=kzalloc(sizeof(*t),GFP_KERNEL);
         if(t==NULL){
         return_error=BR_FAILED_REPLY;
         gotoerr_alloc_t_failed;
         }
         
         
         tcomplete=kzalloc(sizeof(*tcomplete),GFP_KERNEL);
         if(tcomplete==NULL){
         return_error=BR_FAILED_REPLY;
         gotoerr_alloc_tcomplete_failed;
         }
         
         if(!reply&&!(tr->flags&TF_ONE_WAY))
         t->from=thread;
         else
         t->from=NULL;
         t->sender_euid=proc->tsk->cred->euid;
         t->to_proc=target_proc;
         t->to_thread=target_thread;
         t->code=tr->code;
         t->flags=tr->flags;
         t->priority=task_nice(current);
         t->buffer=binder_alloc_buf(target_proc,tr->data_size,
         tr->offsets_size,!reply&&(t->flags&TF_ONE_WAY));
         if(t->buffer==NULL){
         return_error=BR_FAILED_REPLY;
         gotoerr_binder_alloc_buf_failed;
         }
         t->buffer->allow_user_free=0;
         t->buffer->debug_id=t->debug_id;
         t->buffer->transaction=t;
         t->buffer->target_node=target_node;
         if(target_node)
         binder_inc_node(target_node,1,0,NULL);
         
         offp=(size_t*)(t->buffer->data+ALIGN(tr->data_size,sizeof(void*)));
         
         if(copy_from_user(t->buffer->data,tr->data.ptr.buffer,tr->data_size)){
         binder_user_error("binder:%d:%dgottransactionwithinvalid"
         "dataptr\n",proc->pid,thread->pid);
         return_error=BR_FAILED_REPLY;
         gotoerr_copy_data_failed;
         }
         if(copy_from_user(offp,tr->data.ptr.offsets,tr->offsets_size)){
         binder_user_error("binder:%d:%dgottransactionwithinvalid"
         "offsetsptr\n",proc->pid,thread->pid);
         return_error=BR_FAILED_REPLY;
         gotoerr_copy_data_failed;
         }
        
                        /* TODO: reuse incoming transaction for reply */t = kzalloc(sizeof(*t), GFP_KERNEL);if (t == NULL) {return_error = BR_FAILED_REPLY;goto err_alloc_t_failed;}tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);if (tcomplete == NULL) {return_error = BR_FAILED_REPLY;goto err_alloc_tcomplete_failed;}if (!reply && !(tr->flags & TF_ONE_WAY))t->from = thread;elset->from = NULL;t->sender_euid = proc->tsk->cred->euid;t->to_proc = target_proc;t->to_thread = target_thread;t->code = tr->code;t->flags = tr->flags;t->priority = task_nice(current);t->buffer = binder_alloc_buf(target_proc, tr->data_size,tr->offsets_size, !reply && (t->flags & TF_ONE_WAY));if (t->buffer == NULL) {return_error = BR_FAILED_REPLY;goto err_binder_alloc_buf_failed;}t->buffer->allow_user_free = 0;t->buffer->debug_id = t->debug_id;t->buffer->transaction = t;t->buffer->target_node = target_node;if (target_node)binder_inc_node(target_node, 1, 0, NULL);offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *)));if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) {binder_user_error("binder: %d:%d got transaction with invalid ""data ptr\n", proc->pid, thread->pid);return_error = BR_FAILED_REPLY;goto err_copy_data_failed;}if (copy_from_user(offp, tr->data.ptr.offsets, tr->offsets_size)) {binder_user_error("binder: %d:%d got transaction with invalid ""offsets ptr\n", proc->pid, thread->pid);return_error = BR_FAILED_REPLY;goto err_copy_data_failed;}
    我们在前面已经分析过了，这里不再重复。但是有一点要注意的是，这里target_node为NULL，因此，t->buffer->target_node也为NULL。
    函数本来有一个for循环，用来处理数据中的Binder对象，这里由于没有Binder对象，所以就略过了。到了下面这句代码：
                                                                       [cpp] view plain copy print ?                                                      binder_pop_transaction(target_thread,in_reply_to);
        
                        binder_pop_transaction(target_thread, in_reply_to);
    我们看看做了什么事情：
                                                                       [cpp] view plain copy print ?                                                      staticvoid
         binder_pop_transaction(
         structbinder_thread*target_thread,structbinder_transaction*t)
         {
         if(target_thread){
         BUG_ON(target_thread->transaction_stack!=t);
         BUG_ON(target_thread->transaction_stack->from!=target_thread);
         target_thread->transaction_stack=
         target_thread->transaction_stack->from_parent;
         t->from=NULL;
         }
         t->need_reply=0;
         if(t->buffer)
         t->buffer->transaction=NULL;
         kfree(t);
         binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++;
         }
        
                        static voidbinder_pop_transaction(struct binder_thread *target_thread, struct binder_transaction *t){if (target_thread) {BUG_ON(target_thread->transaction_stack != t);BUG_ON(target_thread->transaction_stack->from != target_thread);target_thread->transaction_stack =target_thread->transaction_stack->from_parent;t->from = NULL;}t->need_reply = 0;if (t->buffer)t->buffer->transaction = NULL;kfree(t);binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++;}
   由于到了这里，已经不需要in_reply_to这个transaction了，就把它删掉。
   回到binder_transaction函数：
                                                                       [cpp] view plain copy print ?                                                      t->work.type=BINDER_WORK_TRANSACTION;
         list_add_tail(&t->work.entry,target_list);
         tcomplete->type=BINDER_WORK_TRANSACTION_COMPLETE;
         list_add_tail(&tcomplete->entry,&thread->todo);
        
                        t->work.type = BINDER_WORK_TRANSACTION;list_add_tail(&t->work.entry, target_list);tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;list_add_tail(&tcomplete->entry, &thread->todo);
    和前面一样，分别把t和tcomplete分别放在target_list和thread->todo队列中，这里的target_list指的就是最初调用IServiceManager::addService的MediaPlayerService的Server主线程的的thread->todo队列了，而thread->todo指的是Service Manager中用来回复IServiceManager::addService请求的线程。
   最后，唤醒等待在target_wait队列上的线程了，就是最初调用IServiceManager::addService的MediaPlayerService的Server主线程了，它最后在binder_thread_read函数中睡眠在thread->wait上，就是这里的target_wait了：
                                                                       [cpp] view plain copy print ?                                                      if(target_wait)
         wake_up_interruptible(target_wait);
        
                        if (target_wait)wake_up_interruptible(target_wait);
   这样，Service Manger回复调用IServiceManager::addService请求就算完成了，重新回到frameworks/base/cmds/servicemanager/binder.c文件中的binder_loop函数等待下一个Client请求的到来。事实上，Service Manger回到binder_loop函数再次执行ioctl函数时候，又会再次进入到binder_thread_read函数。这时个会发现thread->todo不为空，这是因为刚才我们调用了：
                                                                       [cpp] view plain copy print ?                                                      list_add_tail(&tcomplete->entry,&thread->todo);
        
                        list_add_tail(&tcomplete->entry, &thread->todo);
    把一个工作项tcompelete放在了在thread->todo中，这个tcompelete的type为BINDER_WORK_TRANSACTION_COMPLETE，因此，Binder驱动程序会执行下面操作：
                                                                       [cpp] view plain copy print ?                                                      switch(w->type){
         caseBINDER_WORK_TRANSACTION_COMPLETE:{
         cmd=BR_TRANSACTION_COMPLETE;
         if(put_user(cmd,(uint32_t__user*)ptr))
         return-EFAULT;
         ptr+=sizeof(uint32_t);
         
         list_del(&w->entry);
         kfree(w);
         
         }break;
         ......
         }
        
                        switch (w->type) {case BINDER_WORK_TRANSACTION_COMPLETE: {cmd = BR_TRANSACTION_COMPLETE;if (put_user(cmd, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);list_del(&w->entry);kfree(w);} break;......}
   binder_loop函数执行完这个ioctl调用后，才会在下一次调用ioctl进入到Binder驱动程序进入休眠状态，等待下一次Client的请求。
   上面讲到调用IServiceManager::addService的MediaPlayerService的Server主线程被唤醒了，于是，重新执行binder_thread_read函数：
                                                                       [cpp] view plain copy print ?                                                      staticint
         binder_thread_read(structbinder_proc*proc,structbinder_thread*thread,
         void__user*buffer,intsize,signedlong*consumed,intnon_block)
         {
         void__user*ptr=buffer+*consumed;
         void__user*end=buffer+size;
         
         intret=0;
         intwait_for_proc_work;
         
         if(*consumed==0){
         if(put_user(BR_NOOP,(uint32_t__user*)ptr))
         return-EFAULT;
         ptr+=sizeof(uint32_t);
         }
         
         retry:
         wait_for_proc_work=thread->transaction_stack==NULL&&list_empty(&thread->todo);
         
         ......
         
         if(wait_for_proc_work){
         ......
         }else{
         if(non_block){
         if(!binder_has_thread_work(thread))
         ret=-EAGAIN;
         }else
         ret=wait_event_interruptible(thread->wait,binder_has_thread_work(thread));
         }
         
         ......
         
         while(1){
         uint32_tcmd;
         structbinder_transaction_datatr;
         structbinder_work*w;
         structbinder_transaction*t=NULL;
         
         if(!list_empty(&thread->todo))
         w=list_first_entry(&thread->todo,structbinder_work,entry);
         elseif(!list_empty(&proc->todo)&&wait_for_proc_work)
         w=list_first_entry(&proc->todo,structbinder_work,entry);
         else{
         if(ptr-buffer==4&&!(thread->looper&BINDER_LOOPER_STATE_NEED_RETURN))/*nodataadded*/
         gotoretry;
         break;
         }
         
         ......
         
         switch(w->type){
         caseBINDER_WORK_TRANSACTION:{
         t=container_of(w,structbinder_transaction,work);
         }break;
         ......
         }
         
         if(!t)
         continue;
         
         BUG_ON(t->buffer==NULL);
         if(t->buffer->target_node){
         ......
         }else{
         tr.target.ptr=NULL;
         tr.cookie=NULL;
         cmd=BR_REPLY;
         }
         tr.code=t->code;
         tr.flags=t->flags;
         tr.sender_euid=t->sender_euid;
         
         if(t->from){
         ......
         }else{
         tr.sender_pid=0;
         }
         
         tr.data_size=t->buffer->data_size;
         tr.offsets_size=t->buffer->offsets_size;
         tr.data.ptr.buffer=(void*)t->buffer->data+proc->user_buffer_offset;
         tr.data.ptr.offsets=tr.data.ptr.buffer+ALIGN(t->buffer->data_size,sizeof(void*));
         
         if(put_user(cmd,(uint32_t__user*)ptr))
         return-EFAULT;
         ptr+=sizeof(uint32_t);
         if(copy_to_user(ptr,&tr,sizeof(tr)))
         return-EFAULT;
         ptr+=sizeof(tr);
         
         ......
         
         list_del(&t->work.entry);
         t->buffer->allow_user_free=1;
         if(cmd==BR_TRANSACTION&&!(t->flags&TF_ONE_WAY)){
         ......
         }else{
         t->buffer->transaction=NULL;
         kfree(t);
         binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++;
         }
         break;
         }
         
         done:
         ......
         return0;
         }
        
                        static intbinder_thread_read(struct binder_proc *proc, struct binder_thread *thread,   void  __user *buffer, int size, signed long *consumed, int non_block){void __user *ptr = buffer + *consumed;void __user *end = buffer + size;int ret = 0;int wait_for_proc_work;if (*consumed == 0) {if (put_user(BR_NOOP, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);}retry:wait_for_proc_work = thread->transaction_stack == NULL && list_empty(&thread->todo);......if (wait_for_proc_work) {......} else {if (non_block) {if (!binder_has_thread_work(thread))ret = -EAGAIN;} elseret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread));}......while (1) {uint32_t cmd;struct binder_transaction_data tr;struct binder_work *w;struct binder_transaction *t = NULL;if (!list_empty(&thread->todo))w = list_first_entry(&thread->todo, struct binder_work, entry);else if (!list_empty(&proc->todo) && wait_for_proc_work)w = list_first_entry(&proc->todo, struct binder_work, entry);else {if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */goto retry;break;}......switch (w->type) {case BINDER_WORK_TRANSACTION: {t = container_of(w, struct binder_transaction, work);  } break;......}if (!t)continue;BUG_ON(t->buffer == NULL);if (t->buffer->target_node) {......} else {tr.target.ptr = NULL;tr.cookie = NULL;cmd = BR_REPLY;}tr.code = t->code;tr.flags = t->flags;tr.sender_euid = t->sender_euid;if (t->from) {......} else {tr.sender_pid = 0;}tr.data_size = t->buffer->data_size;tr.offsets_size = t->buffer->offsets_size;tr.data.ptr.buffer = (void *)t->buffer->data + proc->user_buffer_offset;tr.data.ptr.offsets = tr.data.ptr.buffer + ALIGN(t->buffer->data_size, sizeof(void *));if (put_user(cmd, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);if (copy_to_user(ptr, &tr, sizeof(tr)))return -EFAULT;ptr += sizeof(tr);......list_del(&t->work.entry);t->buffer->allow_user_free = 1;if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) {......} else {t->buffer->transaction = NULL;kfree(t);binder_stats.obj_deleted[BINDER_STAT_TRANSACTION]++;}break;}done:......return 0;}
    在while循环中，从thread->todo得到w，w->type为BINDER_WORK_TRANSACTION，于是，得到t。从上面可以知道，Service Manager反回了一个0回来，写在t->buffer->data里面，现在把t->buffer->data加上proc->user_buffer_offset，得到用户空间地址，保存在tr.data.ptr.buffer里面，这样用户空间就可以访问这个返回码了。由于cmd不等于BR_TRANSACTION，这时就可以把t删除掉了，因为以后都不需要用了。
    执行完这个函数后，就返回到binder_ioctl函数，执行下面语句，把数据返回给用户空间：
                                                                       [cpp] view plain copy print ?                                                      if(copy_to_user(ubuf,&bwr,sizeof(bwr))){
         ret=-EFAULT;
         gotoerr;
         }
        
                        if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {    ret = -EFAULT;    goto err;}
    接着返回到用户空间IPCThreadState::talkWithDriver函数，最后返回到IPCThreadState::waitForResponse函数，最终执行到下面语句：
                                                                       [cpp] view plain copy print ?                                                      status_tIPCThreadState::waitForResponse(Parcel*reply,status_t*acquireResult)
         {
         int32_tcmd;
         int32_terr;
         
         while(1){
         if((err=talkWithDriver())<NO_ERROR)break;
         
         ......
         
         cmd=mIn.readInt32();
         
         ......
         
         switch(cmd){
         ......
         caseBR_REPLY:
         {
         binder_transaction_datatr;
         err=mIn.read(&tr,sizeof(tr));
         LOG_ASSERT(err==NO_ERROR,"NotenoughcommanddataforbrREPLY");
         if(err!=NO_ERROR)gotofinish;
         
         if(reply){
         if((tr.flags&TF_STATUS_CODE)==0){
         reply->ipcSetDataReference(
         reinterpret_cast<constuint8_t*>(tr.data.ptr.buffer),
         tr.data_size,
         reinterpret_cast<constsize_t*>(tr.data.ptr.offsets),
         tr.offsets_size/sizeof(size_t),
         freeBuffer,this);
         }else{
         ......
         }
         }else{
         ......
         }
         }
         gotofinish;
         
         ......
         }
         }
         
         finish:
         ......
         returnerr;
         }
        
                        status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult){int32_t cmd;int32_t err;while (1) {if ((err=talkWithDriver()) < NO_ERROR) break;......cmd = mIn.readInt32();......switch (cmd) {......case BR_REPLY:{binder_transaction_data tr;err = mIn.read(&tr, sizeof(tr));LOG_ASSERT(err == NO_ERROR, "Not enough command data for brREPLY");if (err != NO_ERROR) goto finish;if (reply) {if ((tr.flags & TF_STATUS_CODE) == 0) {reply->ipcSetDataReference(reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),tr.data_size,reinterpret_cast<const size_t*>(tr.data.ptr.offsets),tr.offsets_size/sizeof(size_t),freeBuffer, this);} else {......}} else {......}}goto finish;......}}finish:......return err;}
   注意，这里的tr.flags等于0，这个是在上面的binder_send_reply函数里设置的。最终把结果保存在reply了：
                                                                       [cpp] view plain copy print ?                                                      reply->ipcSetDataReference(
         reinterpret_cast<constuint8_t*>(tr.data.ptr.buffer),
         tr.data_size,
         reinterpret_cast<constsize_t*>(tr.data.ptr.offsets),
         tr.offsets_size/sizeof(size_t),
         freeBuffer,this);
        
                        reply->ipcSetDataReference(       reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),       tr.data_size,       reinterpret_cast<const size_t*>(tr.data.ptr.offsets),       tr.offsets_size/sizeof(size_t),       freeBuffer, this);
   这个函数我们就不看了，有兴趣的读者可以研究一下。
   从这里层层返回，最后回到MediaPlayerService::instantiate函数中。
   至此，IServiceManager::addService终于执行完毕了。这个过程非常复杂，但是如果我们能够深刻地理解这一过程，将能很好地理解Binder机制的设计思想和实现过程。这里，对IServiceManager::addService过程中MediaPlayerService、ServiceManager和BinderDriver之间的交互作一个小结：

   回到frameworks/base/media/mediaserver/main_mediaserver.cpp文件中的main函数，接下去还要执行下面两个函数：
                                                                       [cpp] view plain copy print ?                                                      ProcessState::self()->startThreadPool();
         IPCThreadState::self()->joinThreadPool();
        
                            ProcessState::self()->startThreadPool();    IPCThreadState::self()->joinThreadPool();
   首先看ProcessState::startThreadPool函数的实现：
                                                                       [cpp] view plain copy print ?                                                      voidProcessState::startThreadPool()
         {
         AutoMutex_l(mLock);
         if(!mThreadPoolStarted){
         mThreadPoolStarted=true;
         spawnPooledThread(true);
         }
         }
        
                        void ProcessState::startThreadPool(){    AutoMutex _l(mLock);    if (!mThreadPoolStarted) {        mThreadPoolStarted = true;        spawnPooledThread(true);    }}
   这里调用spwanPooledThread：
                                                                       [cpp] view plain copy print ?                                                      voidProcessState::spawnPooledThread(boolisMain)
         {
         if(mThreadPoolStarted){
         int32_ts=android_atomic_add(1,&mThreadPoolSeq);
         charbuf[32];
         sprintf(buf,"BinderThread#%d",s);
         LOGV("Spawningnewpooledthread,name=%s\n",buf);
         sp<Thread>t=newPoolThread(isMain);
         t->run(buf);
         }
         }
        
                        void ProcessState::spawnPooledThread(bool isMain){    if (mThreadPoolStarted) {        int32_t s = android_atomic_add(1, &mThreadPoolSeq);        char buf[32];        sprintf(buf, "Binder Thread #%d", s);        LOGV("Spawning new pooled thread, name=%s\n", buf);        sp<Thread> t = new PoolThread(isMain);        t->run(buf);    }}
   这里主要是创建一个线程，PoolThread继续Thread类，Thread类定义在frameworks/base/libs/utils/Threads.cpp文件中，其run函数最终调用子类的threadLoop函数，这里即为PoolThread::threadLoop函数：
                                                                       [cpp] view plain copy print ?                                                      virtualboolthreadLoop()
         {
         IPCThreadState::self()->joinThreadPool(mIsMain);
         returnfalse;
         }
        
                            virtual bool threadLoop()    {        IPCThreadState::self()->joinThreadPool(mIsMain);        return false;    }
   这里和frameworks/base/media/mediaserver/main_mediaserver.cpp文件中的main函数一样，最终都是调用了IPCThreadState::joinThreadPool函数，它们的区别是，一个参数是true，一个是默认值false。我们来看一下这个函数的实现：
                                                                       [cpp] view plain copy print ?                                                      voidIPCThreadState::joinThreadPool(boolisMain)
         {
         LOG_THREADPOOL("****THREAD%p(PID%d)ISJOININGTHETHREADPOOL\n",(void*)pthread_self(),getpid());
         
         mOut.writeInt32(isMain?BC_ENTER_LOOPER:BC_REGISTER_LOOPER);
         
         ......
         
         status_tresult;
         do{
         int32_tcmd;
         
         .......
         
         //nowgetthenextcommandtobeprocessed,waitingifnecessary
         result=talkWithDriver();
         if(result>=NO_ERROR){
         size_tIN=mIn.dataAvail();
         if(IN<sizeof(int32_t))continue;
         cmd=mIn.readInt32();
         ......
         }
         
         result=executeCommand(cmd);
         }
         
         ......
         }while(result!=-ECONNREFUSED&&result!=-EBADF);
         
         .......
         
         mOut.writeInt32(BC_EXIT_LOOPER);
         talkWithDriver(false);
         }
        
                        void IPCThreadState::joinThreadPool(bool isMain){LOG_THREADPOOL("**** THREAD %p (PID %d) IS JOINING THE THREAD POOL\n", (void*)pthread_self(), getpid());mOut.writeInt32(isMain ? BC_ENTER_LOOPER : BC_REGISTER_LOOPER);......status_t result;do {int32_t cmd;.......// now get the next command to be processed, waiting if necessaryresult = talkWithDriver();if (result >= NO_ERROR) {size_t IN = mIn.dataAvail();if (IN < sizeof(int32_t)) continue;cmd = mIn.readInt32();......}result = executeCommand(cmd);}......} while (result != -ECONNREFUSED && result != -EBADF);.......mOut.writeInt32(BC_EXIT_LOOPER);talkWithDriver(false);}
   这个函数最终是在一个无穷循环中，通过调用talkWithDriver函数来和Binder驱动程序进行交互，实际上就是调用talkWithDriver来等待Client的请求，然后再调用executeCommand来处理请求，而在executeCommand函数中，最终会调用BBinder::transact来真正处理Client的请求：
                                                                       [cpp] view plain copy print ?                                                      status_tIPCThreadState::executeCommand(int32_tcmd)
         {
         BBinder*obj;
         RefBase::weakref_type*refs;
         status_tresult=NO_ERROR;
         
         switch(cmd){
         ......
         
         caseBR_TRANSACTION:
         {
         binder_transaction_datatr;
         result=mIn.read(&tr,sizeof(tr));
         
         ......
         
         Parcelreply;
         
         ......
         
         if(tr.target.ptr){
         sp<BBinder>b((BBinder*)tr.cookie);
         conststatus_terror=b->transact(tr.code,buffer,&reply,tr.flags);
         if(error<NO_ERROR)reply.setError(error);
         
         }else{
         conststatus_terror=the_context_object->transact(tr.code,buffer,&reply,tr.flags);
         if(error<NO_ERROR)reply.setError(error);
         }
         
         ......
         }
         break;
         
         .......
         }
         
         if(result!=NO_ERROR){
         mLastError=result;
         }
         
         returnresult;
         }
        
                        status_t IPCThreadState::executeCommand(int32_t cmd){BBinder* obj;RefBase::weakref_type* refs;status_t result = NO_ERROR;switch (cmd) {......case BR_TRANSACTION:{binder_transaction_data tr;result = mIn.read(&tr, sizeof(tr));......Parcel reply;......if (tr.target.ptr) {sp<BBinder> b((BBinder*)tr.cookie);const status_t error = b->transact(tr.code, buffer, &reply, tr.flags);if (error < NO_ERROR) reply.setError(error);} else {const status_t error = the_context_object->transact(tr.code, buffer, &reply, tr.flags);if (error < NO_ERROR) reply.setError(error);}......}break;.......}if (result != NO_ERROR) {mLastError = result;}return result;}
   接下来再看一下BBinder::transact的实现：
                                                                       [cpp] view plain copy print ?                                                      status_tBBinder::transact(
         uint32_tcode,constParcel&data,Parcel*reply,uint32_tflags)
         {
         data.setDataPosition(0);
         
         status_terr=NO_ERROR;
         switch(code){
         casePING_TRANSACTION:
         reply->writeInt32(pingBinder());
         break;
         default:
         err=onTransact(code,data,reply,flags);
         break;
         }
         
         if(reply!=NULL){
         reply->setDataPosition(0);
         }
         
         returnerr;
         }
        
                        status_t BBinder::transact(    uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags){    data.setDataPosition(0);    status_t err = NO_ERROR;    switch (code) {        case PING_TRANSACTION:            reply->writeInt32(pingBinder());            break;        default:            err = onTransact(code, data, reply, flags);            break;    }    if (reply != NULL) {        reply->setDataPosition(0);    }    return err;}
   最终会调用onTransact函数来处理。在这个场景中，BnMediaPlayerService继承了BBinder类，并且重载了onTransact函数，因此，这里实际上是调用了BnMediaPlayerService::onTransact函数，这个函数定义在frameworks/base/libs/media/libmedia/IMediaPlayerService.cpp文件中：
                                                                       [cpp] view plain copy print ?                                                      status_tBnMediaPlayerService::onTransact(
         uint32_tcode,constParcel&data,Parcel*reply,uint32_tflags)
         {
         switch(code){
         caseCREATE_URL:{
         ......
         }break;
         caseCREATE_FD:{
         ......
         }break;
         caseDECODE_URL:{
         ......
         }break;
         caseDECODE_FD:{
         ......
         }break;
         caseCREATE_MEDIA_RECORDER:{
         ......
         }break;
         caseCREATE_METADATA_RETRIEVER:{
         ......
         }break;
         caseGET_OMX:{
         ......
         }break;
         default:
         returnBBinder::onTransact(code,data,reply,flags);
         }
         }
        
                        status_t BnMediaPlayerService::onTransact(uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags){switch(code) {case CREATE_URL: {...... } break;case CREATE_FD: {......} break;case DECODE_URL: {...... } break;case DECODE_FD: {......} break;case CREATE_MEDIA_RECORDER: {......} break;case CREATE_METADATA_RETRIEVER: {......} break;case GET_OMX: {......  } break;default:return BBinder::onTransact(code, data, reply, flags);}}
   至此，我们就以MediaPlayerService为例，完整地介绍了Android系统进程间通信Binder机制中的Server启动过程。Server启动起来之后，就会在一个无穷循环中等待Client的请求了。在下一篇文章中，我们将介绍Client如何通过Service Manager远程接口来获得Server远程接口，进而调用Server远程接口来使用Server提供的服务，敬请关注。

Android系统进程间通信（IPC）机制Binder中的Client获得Server远程接口过程源代码分析

分类： Android 2011-07-27 02:36 8106人阅读评论(13) 收藏举报

在上一篇文章中，我们分析了Android系统进程间通信机制Binder中的Server在启动过程使用Service Manager的addService接口把自己添加到Service Manager守护过程中接受管理。在这一篇文章中，我们将深入到Binder驱动程序源代码去分析Client是如何通过Service Manager的getService接口中来获得Server远程接口的。Client只有获得了Server的远程接口之后，才能进一步调用Server提供的服务。

这里，我们仍然是通过Android系统中自带的多媒体播放器为例子来说明Client是如何通过IServiceManager::getService接口来获得MediaPlayerService这个Server的远程接口的。假设计读者已经阅读过前面三篇文章浅谈Service Manager成为Android进程间通信（IPC）机制Binder守护进程之路、浅谈Android系统进程间通信（IPC）机制Binder中的Server和Client获得Service Manager接口之路和Android系统进程间通信（IPC）机制Binder中的Server启动过程源代码分析，即假设Service Manager和MediaPlayerService已经启动完毕，Service Manager现在等待Client的请求。

这里，我们要举例子说明的Client便是MediaPlayer了，它声明和实现在frameworks/base/include/media/mediaplayer.h和frameworks/base/media/libmedia/mediaplayer.cpp文件中。MediaPlayer继承于IMediaDeathNotifier类，这个类声明和实现在frameworks/base/include/media/IMediaDeathNotifier.h和frameworks/base/media/libmedia//IMediaDeathNotifier.cpp文件中，里面有一个静态成员函数getMeidaPlayerService，它通过IServiceManager::getService接口来获得MediaPlayerService的远程接口。

在介绍IMediaDeathNotifier::getMeidaPlayerService函数之前，我们先了解一下这个函数的目标。看来前面浅谈Android系统进程间通信（IPC）机制Binder中的Server和Client获得Service Manager接口之路这篇文章的读者知道，我们在获取Service Manager远程接口时，最终是获得了一个BpServiceManager对象的IServiceManager接口。类似地，我们要获得MediaPlayerService的远程接口，实际上就是要获得一个称为BpMediaPlayerService对象的IMediaPlayerService接口。现在，我们就先来看一下BpMediaPlayerService的类图：

从这个类图可以看到，BpMediaPlayerService继承于BpInterface<IMediaPlayerService>类，即BpMediaPlayerService继承了IMediaPlayerService类和BpRefBase类，这两个类又分别继续了RefBase类。BpRefBase类有一个成员变量mRemote，它的类型为IBinder，实际是一个BpBinder对象。BpBinder类使用了IPCThreadState类来与Binder驱动程序进行交互，而IPCThreadState类有一个成员变量mProcess，它的类型为ProcessState，IPCThreadState类借助ProcessState类来打开Binder设备文件/dev/binder，因此，它可以和Binder驱动程序进行交互。

BpMediaPlayerService的构造函数有一个参数impl，它的类型为const sp<IBinder>&，从上面的描述中，这个实际上就是一个BpBinder对象。这样，要创建一个BpMediaPlayerService对象，首先就要有一个BpBinder对象。再来看BpBinder类的构造函数，它有一个参数handle，类型为int32_t，这个参数的意义就是请求MediaPlayerService这个远程接口的进程对MediaPlayerService这个Binder实体的引用了。因此，获取MediaPlayerService这个远程接口的本质问题就变为从Service Manager中获得MediaPlayerService的一个句柄了。

现在，我们就来看一下IMediaDeathNotifier::getMeidaPlayerService的实现：

[cpp] view plain copy print ?

//establishbinderinterfacetoMediaPlayerService
/*static*/constsp<IMediaPlayerService>&
IMediaDeathNotifier::getMediaPlayerService()
{
LOGV("getMediaPlayerService");
Mutex::Autolock_l(sServiceLock);
if(sMediaPlayerService.get()==0){
sp<IServiceManager>sm=defaultServiceManager();
sp<IBinder>binder;
do{
binder=sm->getService(String16("media.player"));
if(binder!=0){
break;
}
LOGW("Mediaplayerservicenotpublished,waiting...");
usleep(500000);//0.5s
}while(true);
if(sDeathNotifier==NULL){
sDeathNotifier=newDeathNotifier();
}
binder->linkToDeath(sDeathNotifier);
sMediaPlayerService=interface_cast<IMediaPlayerService>(binder);
}
LOGE_IF(sMediaPlayerService==0,"nomediaplayerservice!?");
returnsMediaPlayerService;
}

// establish binder interface to MediaPlayerService/*static*/const sp<IMediaPlayerService>&IMediaDeathNotifier::getMediaPlayerService(){    LOGV("getMediaPlayerService");    Mutex::Autolock _l(sServiceLock);    if (sMediaPlayerService.get() == 0) {        sp<IServiceManager> sm = defaultServiceManager();        sp<IBinder> binder;        do {            binder = sm->getService(String16("media.player"));            if (binder != 0) {                break;             }             LOGW("Media player service not published, waiting...");             usleep(500000); // 0.5 s        } while(true);        if (sDeathNotifier == NULL) {        sDeathNotifier = new DeathNotifier();    }    binder->linkToDeath(sDeathNotifier);    sMediaPlayerService = interface_cast<IMediaPlayerService>(binder);    }    LOGE_IF(sMediaPlayerService == 0, "no media player service!?");    return sMediaPlayerService;}

函数首先通过defaultServiceManager函数来获得Service Manager的远程接口，实际上就是获得BpServiceManager的IServiceManager接口，具体可以参考浅谈Android系统进程间通信（IPC）机制Binder中的Server和Client获得Service Manager接口之路一文。总的来说，这里的语句：

[cpp] view plain copy print ?

sp<IServiceManager>sm=defaultServiceManager();

sp<IServiceManager> sm = defaultServiceManager();

相当于是：

[cpp] view plain copy print ?

sp<IServiceManager>sm=newBpServiceManager(newBpBinder(0));

sp<IServiceManager> sm = new BpServiceManager(new BpBinder(0));

这里的0表示Service Manager的远程接口的句柄值是0。

接下去的while循环是通过sm->getService接口来不断尝试获得名称为“media.player”的Service，即MediaPlayerService。为什么要通过这无穷循环来得MediaPlayerService呢？因为这时候MediaPlayerService可能还没有启动起来，所以这里如果发现取回来的binder接口为NULL，就睡眠0.5秒，然后再尝试获取，这是获取Service接口的标准做法。
我们来看一下BpServiceManager::getService的实现：

[cpp] view plain copy print ?

classBpServiceManager:publicBpInterface<IServiceManager>
{
......
virtualsp<IBinder>getService(constString16&name)const
{
unsignedn;
for(n=0;n<5;n++){
sp<IBinder>svc=checkService(name);
if(svc!=NULL)returnsvc;
LOGI("Waitingforservice%s...\n",String8(name).string());
sleep(1);
}
returnNULL;
}
virtualsp<IBinder>checkService(constString16&name)const
{
Parceldata,reply;
data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor());
data.writeString16(name);
remote()->transact(CHECK_SERVICE_TRANSACTION,data,&reply);
returnreply.readStrongBinder();
}
......
};

class BpServiceManager : public BpInterface<IServiceManager>{    ......virtual sp<IBinder> getService(const String16& name) const{unsigned n;for (n = 0; n < 5; n++){sp<IBinder> svc = checkService(name);if (svc != NULL) return svc;LOGI("Waiting for service %s...\n", String8(name).string());sleep(1);}return NULL;}virtual sp<IBinder> checkService( const String16& name) const{Parcel data, reply;data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor());data.writeString16(name);remote()->transact(CHECK_SERVICE_TRANSACTION, data, &reply);return reply.readStrongBinder();}......};

BpServiceManager::getService通过BpServiceManager::checkService执行操作。

在BpServiceManager::checkService中，首先是通过Parcel::writeInterfaceToken往data写入一个RPC头，这个我们在Android系统进程间通信（IPC）机制Binder中的Server启动过程源代码分析一文已经介绍过了，就是写往data里面写入了一个整数和一个字符串“android.os.IServiceManager”， Service Manager来处理CHECK_SERVICE_TRANSACTION请求之前，会先验证一下这个RPC头，看看是否正确。接着再往data写入一个字符串name，这里就是“media.player”了。回忆一下Android系统进程间通信（IPC）机制Binder中的Server启动过程源代码分析这篇文章，那里已经往Service Manager中注册了一个名字为“media.player”的MediaPlayerService。

这里的remote()返回的是一个BpBinder，具体可以参考浅谈Android系统进程间通信（IPC）机制Binder中的Server和Client获得Service Manager接口之路一文，于是，就进行到BpBinder::transact函数了：

[cpp] view plain copy print ?

status_tBpBinder::transact(
uint32_tcode,constParcel&data,Parcel*reply,uint32_tflags)
{
//Onceabinderhasdied,itwillnevercomebacktolife.
if(mAlive){
status_tstatus=IPCThreadState::self()->transact(
mHandle,code,data,reply,flags);
if(status==DEAD_OBJECT)mAlive=0;
returnstatus;
}
returnDEAD_OBJECT;
}

status_t BpBinder::transact(    uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags){    // Once a binder has died, it will never come back to life.    if (mAlive) {        status_t status = IPCThreadState::self()->transact(            mHandle, code, data, reply, flags);        if (status == DEAD_OBJECT) mAlive = 0;        return status;    }    return DEAD_OBJECT;}

这里的mHandle = 0，code =CHECK_SERVICE_TRANSACTION，flags = 0。

这里再进入到IPCThread::transact函数中：

[cpp] view plain copy print ?

status_tIPCThreadState::transact(int32_thandle,
uint32_tcode,constParcel&data,
Parcel*reply,uint32_tflags)
{
status_terr=data.errorCheck();
flags|=TF_ACCEPT_FDS;
IF_LOG_TRANSACTIONS(){
TextOutput::Bundle_b(alog);
alog<<"BC_TRANSACTIONthr"<<(void*)pthread_self()<<"/hand"
<<handle<<"/code"<<TypeCode(code)<<":"
<<indent<<data<<dedent<<endl;
}
if(err==NO_ERROR){
LOG_ONEWAY(">>>>SENDfrompid%duid%d%s",getpid(),getuid(),
(flags&TF_ONE_WAY)==0?"READREPLY":"ONEWAY");
err=writeTransactionData(BC_TRANSACTION,flags,handle,code,data,NULL);
}
if(err!=NO_ERROR){
if(reply)reply->setError(err);
return(mLastError=err);
}
if((flags&TF_ONE_WAY)==0){
#if0
if(code==4){//relayout
LOGI(">>>>>>CALLINGtransaction4");
}else{
LOGI(">>>>>>CALLINGtransaction%d",code);
}
#endif
if(reply){
err=waitForResponse(reply);
}else{
ParcelfakeReply;
err=waitForResponse(&fakeReply);
}
#if0
if(code==4){//relayout
LOGI("<<<<<<RETURNINGtransaction4");
}else{
LOGI("<<<<<<RETURNINGtransaction%d",code);
}
#endif
IF_LOG_TRANSACTIONS(){
TextOutput::Bundle_b(alog);
alog<<"BR_REPLYthr"<<(void*)pthread_self()<<"/hand"
<<handle<<":";
if(reply)alog<<indent<<*reply<<dedent<<endl;
elsealog<<"(nonerequested)"<<endl;
}
}else{
err=waitForResponse(NULL,NULL);
}
returnerr;
}

status_t IPCThreadState::transact(int32_t handle,                                  uint32_t code, const Parcel& data,                                  Parcel* reply, uint32_t flags){    status_t err = data.errorCheck();    flags |= TF_ACCEPT_FDS;    IF_LOG_TRANSACTIONS() {        TextOutput::Bundle _b(alog);        alog << "BC_TRANSACTION thr " << (void*)pthread_self() << " / hand "            << handle << " / code " << TypeCode(code) << ": "            << indent << data << dedent << endl;    }        if (err == NO_ERROR) {        LOG_ONEWAY(">>>> SEND from pid %d uid %d %s", getpid(), getuid(),            (flags & TF_ONE_WAY) == 0 ? "READ REPLY" : "ONE WAY");        err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL);    }        if (err != NO_ERROR) {        if (reply) reply->setError(err);        return (mLastError = err);    }        if ((flags & TF_ONE_WAY) == 0) {        #if 0        if (code == 4) { // relayout            LOGI(">>>>>> CALLING transaction 4");        } else {            LOGI(">>>>>> CALLING transaction %d", code);        }        #endif        if (reply) {            err = waitForResponse(reply);        } else {            Parcel fakeReply;            err = waitForResponse(&fakeReply);        }        #if 0        if (code == 4) { // relayout            LOGI("<<<<<< RETURNING transaction 4");        } else {            LOGI("<<<<<< RETURNING transaction %d", code);        }        #endif                IF_LOG_TRANSACTIONS() {            TextOutput::Bundle _b(alog);            alog << "BR_REPLY thr " << (void*)pthread_self() << " / hand "                << handle << ": ";            if (reply) alog << indent << *reply << dedent << endl;            else alog << "(none requested)" << endl;        }    } else {        err = waitForResponse(NULL, NULL);    }        return err;}

首先是调用函数writeTransactionData写入将要传输的数据到IPCThreadState的成员变量mOut中去：

[cpp] view plain copy print ?

status_tIPCThreadState::writeTransactionData(int32_tcmd,uint32_tbinderFlags,
int32_thandle,uint32_tcode,constParcel&data,status_t*statusBuffer)
{
binder_transaction_datatr;
tr.target.handle=handle;
tr.code=code;
tr.flags=binderFlags;
conststatus_terr=data.errorCheck();
if(err==NO_ERROR){
tr.data_size=data.ipcDataSize();
tr.data.ptr.buffer=data.ipcData();
tr.offsets_size=data.ipcObjectsCount()*sizeof(size_t);
tr.data.ptr.offsets=data.ipcObjects();
}elseif(statusBuffer){
tr.flags|=TF_STATUS_CODE;
*statusBuffer=err;
tr.data_size=sizeof(status_t);
tr.data.ptr.buffer=statusBuffer;
tr.offsets_size=0;
tr.data.ptr.offsets=NULL;
}else{
return(mLastError=err);
}
mOut.writeInt32(cmd);
mOut.write(&tr,sizeof(tr));
returnNO_ERROR;
}

status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags,    int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer){    binder_transaction_data tr;    tr.target.handle = handle;    tr.code = code;    tr.flags = binderFlags;        const status_t err = data.errorCheck();    if (err == NO_ERROR) {        tr.data_size = data.ipcDataSize();        tr.data.ptr.buffer = data.ipcData();        tr.offsets_size = data.ipcObjectsCount()*sizeof(size_t);        tr.data.ptr.offsets = data.ipcObjects();    } else if (statusBuffer) {        tr.flags |= TF_STATUS_CODE;        *statusBuffer = err;        tr.data_size = sizeof(status_t);        tr.data.ptr.buffer = statusBuffer;        tr.offsets_size = 0;        tr.data.ptr.offsets = NULL;    } else {        return (mLastError = err);    }        mOut.writeInt32(cmd);    mOut.write(&tr, sizeof(tr));        return NO_ERROR;}

结构体binder_transaction_data在上一篇文章 Android系统进程间通信（IPC）机制Binder中的Server启动过程源代码分析已经介绍过，这里不再累述，这个结构体是用来描述要传输的参数的内容的。这里着重描述一下将要传输的参数tr里面的内容，handle = 0，code =CHECK_SERVICE_TRANSACTION，cmd =BC_TRANSACTION，data里面的数据分别为：

[cpp] view plain copy print ?

writeInt32(IPCThreadState::self()->getStrictModePolicy()|STRICT_MODE_PENALTY_GATHER);
writeString16("android.os.IServiceManager");
writeString16("media.player");

writeInt32(IPCThreadState::self()->getStrictModePolicy() | STRICT_MODE_PENALTY_GATHER);writeString16("android.os.IServiceManager");writeString16("media.player");

这是在BpServiceManager::checkService函数里面写进去的，其中前两个是RPC头，Service Manager在收到这个请求时会验证这两个参数是否正确，这点前面也提到了。IPCThread->getStrictModePolicy默认返回0，STRICT_MODE_PENALTY_GATHER定义为：

[cpp] view plain copy print ?

//Note:mustbekeptinsyncwithandroid/os/StrictMode.java'sPENALTY_GATHER
#defineSTRICT_MODE_PENALTY_GATHER0x100

// Note: must be kept in sync with android/os/StrictMode.java's PENALTY_GATHER#define STRICT_MODE_PENALTY_GATHER 0x100

我们不关心这个参数的含义，这不会影响我们分析下面的源代码，有兴趣的读者可以研究一下。这里要注意的是，要传输的参数不包含有Binder对象，因此tr.offsets_size = 0。要传输的参数最后写入到IPCThreadState的成员变量mOut中，包括cmd和tr两个数据。

回到IPCThread::transact函数中，由于(flags & TF_ONE_WAY) == 0为true，即这是一个同步请求，并且reply != NULL，最终调用：

[cpp] view plain copy print ?

err=waitForResponse(reply);

err = waitForResponse(reply);

进入到waitForResponse函数中：

[cpp] view plain copy print ?

status_tIPCThreadState::waitForResponse(Parcel*reply,status_t*acquireResult)
{
int32_tcmd;
int32_terr;
while(1){
if((err=talkWithDriver())<NO_ERROR)break;
err=mIn.errorCheck();
if(err<NO_ERROR)break;
if(mIn.dataAvail()==0)continue;
cmd=mIn.readInt32();
IF_LOG_COMMANDS(){
alog<<"ProcessingwaitForResponseCommand:"
<<getReturnString(cmd)<<endl;
}
switch(cmd){
caseBR_TRANSACTION_COMPLETE:
if(!reply&&!acquireResult)gotofinish;
break;
caseBR_DEAD_REPLY:
err=DEAD_OBJECT;
gotofinish;
caseBR_FAILED_REPLY:
err=FAILED_TRANSACTION;
gotofinish;
caseBR_ACQUIRE_RESULT:
{
LOG_ASSERT(acquireResult!=NULL,"UnexpectedbrACQUIRE_RESULT");
constint32_tresult=mIn.readInt32();
if(!acquireResult)continue;
*acquireResult=result?NO_ERROR:INVALID_OPERATION;
}
gotofinish;
caseBR_REPLY:
{
binder_transaction_datatr;
err=mIn.read(&tr,sizeof(tr));
LOG_ASSERT(err==NO_ERROR,"NotenoughcommanddataforbrREPLY");
if(err!=NO_ERROR)gotofinish;
if(reply){
if((tr.flags&TF_STATUS_CODE)==0){
reply->ipcSetDataReference(
reinterpret_cast<constuint8_t*>(tr.data.ptr.buffer),
tr.data_size,
reinterpret_cast<constsize_t*>(tr.data.ptr.offsets),
tr.offsets_size/sizeof(size_t),
freeBuffer,this);
}else{
err=*static_cast<conststatus_t*>(tr.data.ptr.buffer);
freeBuffer(NULL,
reinterpret_cast<constuint8_t*>(tr.data.ptr.buffer),
tr.data_size,
reinterpret_cast<constsize_t*>(tr.data.ptr.offsets),
tr.offsets_size/sizeof(size_t),this);
}
}else{
freeBuffer(NULL,
reinterpret_cast<constuint8_t*>(tr.data.ptr.buffer),
tr.data_size,
reinterpret_cast<constsize_t*>(tr.data.ptr.offsets),
tr.offsets_size/sizeof(size_t),this);
continue;
}
}
gotofinish;
default:
err=executeCommand(cmd);
if(err!=NO_ERROR)gotofinish;
break;
}
}
finish:
if(err!=NO_ERROR){
if(acquireResult)*acquireResult=err;
if(reply)reply->setError(err);
mLastError=err;
}
returnerr;
}

status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult){    int32_t cmd;    int32_t err;    while (1) {        if ((err=talkWithDriver()) < NO_ERROR) break;        err = mIn.errorCheck();        if (err < NO_ERROR) break;        if (mIn.dataAvail() == 0) continue;                cmd = mIn.readInt32();                IF_LOG_COMMANDS() {            alog << "Processing waitForResponse Command: "                << getReturnString(cmd) << endl;        }        switch (cmd) {        case BR_TRANSACTION_COMPLETE:            if (!reply && !acquireResult) goto finish;            break;                case BR_DEAD_REPLY:            err = DEAD_OBJECT;            goto finish;        case BR_FAILED_REPLY:            err = FAILED_TRANSACTION;            goto finish;                case BR_ACQUIRE_RESULT:            {                LOG_ASSERT(acquireResult != NULL, "Unexpected brACQUIRE_RESULT");                const int32_t result = mIn.readInt32();                if (!acquireResult) continue;                *acquireResult = result ? NO_ERROR : INVALID_OPERATION;            }            goto finish;                case BR_REPLY:            {                binder_transaction_data tr;                err = mIn.read(&tr, sizeof(tr));                LOG_ASSERT(err == NO_ERROR, "Not enough command data for brREPLY");                if (err != NO_ERROR) goto finish;                if (reply) {                    if ((tr.flags & TF_STATUS_CODE) == 0) {                        reply->ipcSetDataReference(                            reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),                            tr.data_size,                            reinterpret_cast<const size_t*>(tr.data.ptr.offsets),                            tr.offsets_size/sizeof(size_t),                            freeBuffer, this);                    } else {                        err = *static_cast<const status_t*>(tr.data.ptr.buffer);                        freeBuffer(NULL,                            reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),                            tr.data_size,                            reinterpret_cast<const size_t*>(tr.data.ptr.offsets),                            tr.offsets_size/sizeof(size_t), this);                    }                } else {                    freeBuffer(NULL,                        reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),                        tr.data_size,                        reinterpret_cast<const size_t*>(tr.data.ptr.offsets),                        tr.offsets_size/sizeof(size_t), this);                    continue;                }            }            goto finish;        default:            err = executeCommand(cmd);            if (err != NO_ERROR) goto finish;            break;        }    }finish:    if (err != NO_ERROR) {        if (acquireResult) *acquireResult = err;        if (reply) reply->setError(err);        mLastError = err;    }        return err;}

这个函数通过IPCThreadState::talkWithDriver与驱动程序进行交互：

[cpp] view plain copy print ?

status_tIPCThreadState::talkWithDriver(booldoReceive)
{
LOG_ASSERT(mProcess->mDriverFD>=0,"Binderdriverisnotopened");
binder_write_readbwr;
//Isthereadbufferempty?
constboolneedRead=mIn.dataPosition()>=mIn.dataSize();
//Wedon'twanttowriteanythingifwearestillreading
//fromdataleftintheinputbufferandthecaller
//hasrequestedtoreadthenextdata.
constsize_toutAvail=(!doReceive||needRead)?mOut.dataSize():0;
bwr.write_size=outAvail;
bwr.write_buffer=(longunsignedint)mOut.data();
//Thisiswhatwe'llread.
if(doReceive&&needRead){
bwr.read_size=mIn.dataCapacity();
bwr.read_buffer=(longunsignedint)mIn.data();
}else{
bwr.read_size=0;
}
......
//Returnimmediatelyifthereisnothingtodo.
if((bwr.write_size==0)&&(bwr.read_size==0))returnNO_ERROR;
bwr.write_consumed=0;
bwr.read_consumed=0;
status_terr;
do{
......
#ifdefined(HAVE_ANDROID_OS)
if(ioctl(mProcess->mDriverFD,BINDER_WRITE_READ,&bwr)>=0)
err=NO_ERROR;
else
err=-errno;
#else
err=INVALID_OPERATION;
#endif
......
}while(err==-EINTR);
......
if(err>=NO_ERROR){
if(bwr.write_consumed>0){
if(bwr.write_consumed<(ssize_t)mOut.dataSize())
mOut.remove(0,bwr.write_consumed);
else
mOut.setDataSize(0);
}
if(bwr.read_consumed>0){
mIn.setDataSize(bwr.read_consumed);
mIn.setDataPosition(0);
}
......
returnNO_ERROR;
}
returnerr;
}

status_t IPCThreadState::talkWithDriver(bool doReceive){LOG_ASSERT(mProcess->mDriverFD >= 0, "Binder driver is not opened");binder_write_read bwr;// Is the read buffer empty?const bool needRead = mIn.dataPosition() >= mIn.dataSize();// We don't want to write anything if we are still reading// from data left in the input buffer and the caller// has requested to read the next data.const size_t outAvail = (!doReceive || needRead) ? mOut.dataSize() : 0;bwr.write_size = outAvail;bwr.write_buffer = (long unsigned int)mOut.data();// This is what we'll read.if (doReceive && needRead) {bwr.read_size = mIn.dataCapacity();bwr.read_buffer = (long unsigned int)mIn.data();} else {bwr.read_size = 0;}......// Return immediately if there is nothing to do.if ((bwr.write_size == 0) && (bwr.read_size == 0)) return NO_ERROR;bwr.write_consumed = 0;bwr.read_consumed = 0;status_t err;do {......#if defined(HAVE_ANDROID_OS)if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0)err = NO_ERROR;elseerr = -errno;#elseerr = INVALID_OPERATION;#endif......} while (err == -EINTR);......if (err >= NO_ERROR) {if (bwr.write_consumed > 0) {if (bwr.write_consumed < (ssize_t)mOut.dataSize())mOut.remove(0, bwr.write_consumed);elsemOut.setDataSize(0);}if (bwr.read_consumed > 0) {mIn.setDataSize(bwr.read_consumed);mIn.setDataPosition(0);}......return NO_ERROR;}return err;}

这里的needRead为true，因此，bwr.read_size大于0；outAvail也大于0，因此，bwr.write_size也大于0。函数最后通过：

[cpp] view plain copy print ?

ioctl(mProcess->mDriverFD,BINDER_WRITE_READ,&bwr)

ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr)

进入到Binder驱动程序的binder_ioctl函数中。注意，这里的mProcess->mDriverFD是在我们前面调用defaultServiceManager函数获得Service Manager远程接口时，打开的设备文件/dev/binder的文件描述符，mProcess是IPCSThreadState的成员变量。

Binder驱动程序的binder_ioctl函数中，我们只关注BINDER_WRITE_READ命令相关的逻辑：

[cpp] view plain copy print ?

staticlongbinder_ioctl(structfile*filp,unsignedintcmd,unsignedlongarg)
{
intret;
structbinder_proc*proc=filp->private_data;
structbinder_thread*thread;
unsignedintsize=_IOC_SIZE(cmd);
void__user*ubuf=(void__user*)arg;
/*printk(KERN_INFO"binder_ioctl:%d:%d%x%lx\n",proc->pid,current->pid,cmd,arg);*/
ret=wait_event_interruptible(binder_user_error_wait,binder_stop_on_user_error<2);
if(ret)
returnret;
mutex_lock(&binder_lock);
thread=binder_get_thread(proc);
if(thread==NULL){
ret=-ENOMEM;
gotoerr;
}
switch(cmd){
caseBINDER_WRITE_READ:{
structbinder_write_readbwr;
if(size!=sizeof(structbinder_write_read)){
ret=-EINVAL;
gotoerr;
}
if(copy_from_user(&bwr,ubuf,sizeof(bwr))){
ret=-EFAULT;
gotoerr;
}
if(binder_debug_mask&BINDER_DEBUG_READ_WRITE)
printk(KERN_INFO"binder:%d:%dwrite%ldat%08lx,read%ldat%08lx\n",
proc->pid,thread->pid,bwr.write_size,bwr.write_buffer,bwr.read_size,bwr.read_buffer);
if(bwr.write_size>0){
ret=binder_thread_write(proc,thread,(void__user*)bwr.write_buffer,bwr.write_size,&bwr.write_consumed);
if(ret<0){
bwr.read_consumed=0;
if(copy_to_user(ubuf,&bwr,sizeof(bwr)))
ret=-EFAULT;
gotoerr;
}
}
if(bwr.read_size>0){
ret=binder_thread_read(proc,thread,(void__user*)bwr.read_buffer,bwr.read_size,&bwr.read_consumed,filp->f_flags&O_NONBLOCK);
if(!list_empty(&proc->todo))
wake_up_interruptible(&proc->wait);
if(ret<0){
if(copy_to_user(ubuf,&bwr,sizeof(bwr)))
ret=-EFAULT;
gotoerr;
}
}
if(binder_debug_mask&BINDER_DEBUG_READ_WRITE)
printk(KERN_INFO"binder:%d:%dwrote%ldof%ld,readreturn%ldof%ld\n",
proc->pid,thread->pid,bwr.write_consumed,bwr.write_size,bwr.read_consumed,bwr.read_size);
if(copy_to_user(ubuf,&bwr,sizeof(bwr))){
ret=-EFAULT;
gotoerr;
}
break;
}
......
default:
ret=-EINVAL;
gotoerr;
}
ret=0;
err:
......
returnret;
}

static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg){int ret;struct binder_proc *proc = filp->private_data;struct binder_thread *thread;unsigned int size = _IOC_SIZE(cmd);void __user *ubuf = (void __user *)arg;/*printk(KERN_INFO "binder_ioctl: %d:%d %x %lx\n", proc->pid, current->pid, cmd, arg);*/ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2);if (ret)return ret;mutex_lock(&binder_lock);thread = binder_get_thread(proc);if (thread == NULL) {ret = -ENOMEM;goto err;}switch (cmd) {case BINDER_WRITE_READ: {struct binder_write_read bwr;if (size != sizeof(struct binder_write_read)) {ret = -EINVAL;goto err;}if (copy_from_user(&bwr, ubuf, sizeof(bwr))) {ret = -EFAULT;goto err;}if (binder_debug_mask & BINDER_DEBUG_READ_WRITE)printk(KERN_INFO "binder: %d:%d write %ld at %08lx, read %ld at %08lx\n",proc->pid, thread->pid, bwr.write_size, bwr.write_buffer, bwr.read_size, bwr.read_buffer);if (bwr.write_size > 0) {ret = binder_thread_write(proc, thread, (void __user *)bwr.write_buffer, bwr.write_size, &bwr.write_consumed);if (ret < 0) {bwr.read_consumed = 0;if (copy_to_user(ubuf, &bwr, sizeof(bwr)))ret = -EFAULT;goto err;}}if (bwr.read_size > 0) {ret = binder_thread_read(proc, thread, (void __user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp->f_flags & O_NONBLOCK);if (!list_empty(&proc->todo))wake_up_interruptible(&proc->wait);if (ret < 0) {if (copy_to_user(ubuf, &bwr, sizeof(bwr)))ret = -EFAULT;goto err;}}if (binder_debug_mask & BINDER_DEBUG_READ_WRITE)printk(KERN_INFO "binder: %d:%d wrote %ld of %ld, read return %ld of %ld\n",proc->pid, thread->pid, bwr.write_consumed, bwr.write_size, bwr.read_consumed, bwr.read_size);if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {ret = -EFAULT;goto err;}break;}......default:ret = -EINVAL;goto err;}ret = 0;err:......return ret;}

这里的filp->private_data的值是在defaultServiceManager函数创建ProcessState对象时，在ProcessState构造函数通过open文件操作函数打开设备文件/dev/binder时设置好的，它表示的是调用open函数打开设备文件/dev/binder的进程上下文信息，这里将它取出来保存在proc本地变量中。

这里的thread本地变量表示当前线程上下文信息，通过binder_get_thread函数获得。在前面执行ProcessState构造函数时，也会通过ioctl文件操作函数进入到这个函数，那是第一次进入到binder_ioctl这里，因此，调用binder_get_thread时，表示当前进程上下文信息的proc变量还没有关于当前线程的上下文信息，因此，会为proc创建一个表示当前线程上下文信息的thread，会保存在proc->threads表示的红黑树结构中。这里调用binder_get_thread就可以直接从proc找到并返回了。

进入到BINDER_WRITE_READ相关的逻辑。先看看BINDER_WRITE_READ的定义：

[cpp] view plain copy print ?

#defineBINDER_WRITE_READ_IOWR('b',1,structbinder_write_read)

#define BINDER_WRITE_READ   _IOWR('b', 1, struct binder_write_read)

这里可以看出，BINDER_WRITE_READ命令的参数类型为struct binder_write_read：

[cpp] view plain copy print ?

structbinder_write_read{
signedlongwrite_size;/*bytestowrite*/
signedlongwrite_consumed;/*bytesconsumedbydriver*/
unsignedlongwrite_buffer;
signedlongread_size;/*bytestoread*/
signedlongread_consumed;/*bytesconsumedbydriver*/
unsignedlongread_buffer;
};

struct binder_write_read {signed longwrite_size;/* bytes to write */signed longwrite_consumed;/* bytes consumed by driver */unsigned longwrite_buffer;signed longread_size;/* bytes to read */signed longread_consumed;/* bytes consumed by driver */unsigned longread_buffer;};

这个结构体的含义可以参考浅谈Service Manager成为Android进程间通信（IPC）机制Binder守护进程之路一文。这里首先是通过copy_from_user函数把用户传进来的参数的内容拷贝到本地变量bwr中。
从上面的调用过程，我们知道，这里bwr.write_size是大于0的，因此进入到binder_thread_write函数中，我们只关注BC_TRANSACTION相关的逻辑：

[cpp] view plain copy print ?

int
binder_thread_write(structbinder_proc*proc,structbinder_thread*thread,
void__user*buffer,intsize,signedlong*consumed)
{
uint32_tcmd;
void__user*ptr=buffer+*consumed;
void__user*end=buffer+size;
while(ptr<end&&thread->return_error==BR_OK){
if(get_user(cmd,(uint32_t__user*)ptr))
return-EFAULT;
ptr+=sizeof(uint32_t);
if(_IOC_NR(cmd)<ARRAY_SIZE(binder_stats.bc)){
binder_stats.bc[_IOC_NR(cmd)]++;
proc->stats.bc[_IOC_NR(cmd)]++;
thread->stats.bc[_IOC_NR(cmd)]++;
}
switch(cmd){
......
caseBC_TRANSACTION:
caseBC_REPLY:{
structbinder_transaction_datatr;
if(copy_from_user(&tr,ptr,sizeof(tr)))
return-EFAULT;
ptr+=sizeof(tr);
binder_transaction(proc,thread,&tr,cmd==BC_REPLY);
break;
}
......
default:
printk(KERN_ERR"binder:%d:%dunknowncommand%d\n",proc->pid,thread->pid,cmd);
return-EINVAL;
}
*consumed=ptr-buffer;
}
return0;
}

intbinder_thread_write(struct binder_proc *proc, struct binder_thread *thread,void __user *buffer, int size, signed long *consumed){uint32_t cmd;void __user *ptr = buffer + *consumed;void __user *end = buffer + size;while (ptr < end && thread->return_error == BR_OK) {if (get_user(cmd, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);if (_IOC_NR(cmd) < ARRAY_SIZE(binder_stats.bc)) {binder_stats.bc[_IOC_NR(cmd)]++;proc->stats.bc[_IOC_NR(cmd)]++;thread->stats.bc[_IOC_NR(cmd)]++;}switch (cmd) {......case BC_TRANSACTION:case BC_REPLY: {struct binder_transaction_data tr;if (copy_from_user(&tr, ptr, sizeof(tr)))return -EFAULT;ptr += sizeof(tr);binder_transaction(proc, thread, &tr, cmd == BC_REPLY);break;   }......default:printk(KERN_ERR "binder: %d:%d unknown command %d\n", proc->pid, thread->pid, cmd);return -EINVAL;}*consumed = ptr - buffer;}return 0;}

这里再次把用户传出来的参数拷贝到本地变量tr中，tr的类型为struct binder_transaction_data，这个就是前面我们在IPCThreadState::writeTransactionData写入的内容了。

接着进入到binder_transaction函数中，不相关的代码我们忽略掉：

[cpp] view plain copy print ?

staticvoid
binder_transaction(structbinder_proc*proc,structbinder_thread*thread,
structbinder_transaction_data*tr,intreply)
{
structbinder_transaction*t;
structbinder_work*tcomplete;
size_t*offp,*off_end;
structbinder_proc*target_proc;
structbinder_thread*target_thread=NULL;
structbinder_node*target_node=NULL;
structlist_head*target_list;
wait_queue_head_t*target_wait;
structbinder_transaction*in_reply_to=NULL;
structbinder_transaction_log_entry*e;
uint32_treturn_error;
.......
if(reply){
......
}else{
if(tr->target.handle){
......
}else{
target_node=binder_context_mgr_node;
if(target_node==NULL){
return_error=BR_DEAD_REPLY;
gotoerr_no_context_mgr_node;
}
}
......
target_proc=target_node->proc;
if(target_proc==NULL){
return_error=BR_DEAD_REPLY;
gotoerr_dead_binder;
}
if(!(tr->flags&TF_ONE_WAY)&&thread->transaction_stack){
......
}
}
if(target_thread){
......
}else{
target_list=&target_proc->todo;
target_wait=&target_proc->wait;
}
......
/*TODO:reuseincomingtransactionforreply*/
t=kzalloc(sizeof(*t),GFP_KERNEL);
if(t==NULL){
return_error=BR_FAILED_REPLY;
gotoerr_alloc_t_failed;
}
binder_stats.obj_created[BINDER_STAT_TRANSACTION]++;
tcomplete=kzalloc(sizeof(*tcomplete),GFP_KERNEL);
if(tcomplete==NULL){
return_error=BR_FAILED_REPLY;
gotoerr_alloc_tcomplete_failed;
}
binder_stats.obj_created[BINDER_STAT_TRANSACTION_COMPLETE]++;
t->debug_id=++binder_last_id;
......
if(!reply&&!(tr->flags&TF_ONE_WAY))
t->from=thread;
else
t->from=NULL;
t->sender_euid=proc->tsk->cred->euid;
t->to_proc=target_proc;
t->to_thread=target_thread;
t->code=tr->code;
t->flags=tr->flags;
t->priority=task_nice(current);
t->buffer=binder_alloc_buf(target_proc,tr->data_size,
tr->offsets_size,!reply&&(t->flags&TF_ONE_WAY));
if(t->buffer==NULL){
return_error=BR_FAILED_REPLY;
gotoerr_binder_alloc_buf_failed;
}
t->buffer->allow_user_free=0;
t->buffer->debug_id=t->debug_id;
t->buffer->transaction=t;
t->buffer->target_node=target_node;
if(target_node)
binder_inc_node(target_node,1,0,NULL);
offp=(size_t*)(t->buffer->data+ALIGN(tr->data_size,sizeof(void*)));
if(copy_from_user(t->buffer->data,tr->data.ptr.buffer,tr->data_size)){
......
return_error=BR_FAILED_REPLY;
gotoerr_copy_data_failed;
}
......
if(reply){
......
}elseif(!(t->flags&TF_ONE_WAY)){
BUG_ON(t->buffer->async_transaction!=0);
t->need_reply=1;
t->from_parent=thread->transaction_stack;
thread->transaction_stack=t;
}else{
......
}
t->work.type=BINDER_WORK_TRANSACTION;
list_add_tail(&t->work.entry,target_list);
tcomplete->type=BINDER_WORK_TRANSACTION_COMPLETE;
list_add_tail(&tcomplete->entry,&thread->todo);
if(target_wait)
wake_up_interruptible(target_wait);
return;
......
}

static voidbinder_transaction(struct binder_proc *proc, struct binder_thread *thread,struct binder_transaction_data *tr, int reply){struct binder_transaction *t;struct binder_work *tcomplete;size_t *offp, *off_end;struct binder_proc *target_proc;struct binder_thread *target_thread = NULL;struct binder_node *target_node = NULL;struct list_head *target_list;wait_queue_head_t *target_wait;struct binder_transaction *in_reply_to = NULL;struct binder_transaction_log_entry *e;uint32_t return_error;.......if (reply) {......} else {if (tr->target.handle) {......} else {target_node = binder_context_mgr_node;if (target_node == NULL) {return_error = BR_DEAD_REPLY;goto err_no_context_mgr_node;}}......target_proc = target_node->proc;if (target_proc == NULL) {return_error = BR_DEAD_REPLY;goto err_dead_binder;}if (!(tr->flags & TF_ONE_WAY) && thread->transaction_stack) {......}}if (target_thread) {......} else {target_list = &target_proc->todo;target_wait = &target_proc->wait;}....../* TODO: reuse incoming transaction for reply */t = kzalloc(sizeof(*t), GFP_KERNEL);if (t == NULL) {return_error = BR_FAILED_REPLY;goto err_alloc_t_failed;}binder_stats.obj_created[BINDER_STAT_TRANSACTION]++;tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);if (tcomplete == NULL) {return_error = BR_FAILED_REPLY;goto err_alloc_tcomplete_failed;}binder_stats.obj_created[BINDER_STAT_TRANSACTION_COMPLETE]++;t->debug_id = ++binder_last_id;......if (!reply && !(tr->flags & TF_ONE_WAY))t->from = thread;elset->from = NULL;t->sender_euid = proc->tsk->cred->euid;t->to_proc = target_proc;t->to_thread = target_thread;t->code = tr->code;t->flags = tr->flags;t->priority = task_nice(current);t->buffer = binder_alloc_buf(target_proc, tr->data_size,tr->offsets_size, !reply && (t->flags & TF_ONE_WAY));if (t->buffer == NULL) {return_error = BR_FAILED_REPLY;goto err_binder_alloc_buf_failed;}t->buffer->allow_user_free = 0;t->buffer->debug_id = t->debug_id;t->buffer->transaction = t;t->buffer->target_node = target_node;if (target_node)binder_inc_node(target_node, 1, 0, NULL);offp = (size_t *)(t->buffer->data + ALIGN(tr->data_size, sizeof(void *)));if (copy_from_user(t->buffer->data, tr->data.ptr.buffer, tr->data_size)) {......return_error = BR_FAILED_REPLY;goto err_copy_data_failed;}......if (reply) {......} else if (!(t->flags & TF_ONE_WAY)) {BUG_ON(t->buffer->async_transaction != 0);t->need_reply = 1;t->from_parent = thread->transaction_stack;thread->transaction_stack = t;} else {......}t->work.type = BINDER_WORK_TRANSACTION;list_add_tail(&t->work.entry, target_list);tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;list_add_tail(&tcomplete->entry, &thread->todo);if (target_wait)wake_up_interruptible(target_wait);return;    ......}

注意，这里的参数reply = 0，表示这是一个BC_TRANSACTION命令。
前面我们提到，传给驱动程序的handle值为0，即这里的tr->target.handle = 0，表示请求的目标Binder对象是Service Manager，因此有：

[cpp] view plain copy print ?

target_node=binder_context_mgr_node;
target_proc=target_node->proc;
target_list=&target_proc->todo;
target_wait=&target_proc->wait;

target_node = binder_context_mgr_node;target_proc = target_node->proc;target_list = &target_proc->todo;target_wait = &target_proc->wait;

其中binder_context_mgr_node是在Service Manager通知Binder驱动程序它是守护过程时创建的。

接着创建一个待完成事项tcomplete，它的类型为struct binder_work，这是等一会要保存在当前线程的todo队列去的，表示当前线程有一个待完成的事务。紧跟着创建一个待处理事务t，它的类型为struct binder_transaction，这是等一会要存在到Service Manager的todo队列去的，表示Service Manager当前有一个事务需要处理。同时，这个待处理事务t也要存放在当前线程的待完成事务transaction_stack列表中去：

[cpp] view plain copy print ?

t->from_parent=thread->transaction_stack;
thread->transaction_stack=t;

t->from_parent = thread->transaction_stack;thread->transaction_stack = t;

这样表明当前线程还有事务要处理。

继续往下看，就是分别把tcomplete和t放在当前线程thread和Service Manager进程的todo队列去了：

[cpp] view plain copy print ?

t->work.type=BINDER_WORK_TRANSACTION;
list_add_tail(&t->work.entry,target_list);
tcomplete->type=BINDER_WORK_TRANSACTION_COMPLETE;
list_add_tail(&tcomplete->entry,&thread->todo);

t->work.type = BINDER_WORK_TRANSACTION;list_add_tail(&t->work.entry, target_list);tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE;list_add_tail(&tcomplete->entry, &thread->todo);

最后，Service Manager有事情可做了，就要唤醒它了：

[cpp] view plain copy print ?

wake_up_interruptible(target_wait);

wake_up_interruptible(target_wait);

前面我们提到，此时Service Manager正在等待Client的请求，也就是Service Manager此时正在进入到Binder驱动程序的binder_thread_read函数中，并且休眠在target->wait上，具体参考浅谈Service Manager成为Android进程间通信（IPC）机制Binder守护进程之路一文。
这里，我们暂时忽略Service Manager被唤醒之后的情景，继续看当前线程的执行。
函数binder_transaction执行完成之后，就一路返回到binder_ioctl函数里去了。函数binder_ioctl从binder_thread_write函数调用处返回后，发现bwr.read_size大于0，于是就进入到binder_thread_read函数去了：

[cpp] view plain copy print ?

staticint
binder_thread_read(structbinder_proc*proc,structbinder_thread*thread,
void__user*buffer,intsize,signedlong*consumed,intnon_block)
{
void__user*ptr=buffer+*consumed;
void__user*end=buffer+size;
intret=0;
intwait_for_proc_work;
if(*consumed==0){
if(put_user(BR_NOOP,(uint32_t__user*)ptr))
return-EFAULT;
ptr+=sizeof(uint32_t);
}
retry:
wait_for_proc_work=thread->transaction_stack==NULL&&list_empty(&thread->todo);
......
if(wait_for_proc_work){
......
}else{
if(non_block){
if(!binder_has_thread_work(thread))
ret=-EAGAIN;
}else
ret=wait_event_interruptible(thread->wait,binder_has_thread_work(thread));
}
......
while(1){
uint32_tcmd;
structbinder_transaction_datatr;
structbinder_work*w;
structbinder_transaction*t=NULL;
if(!list_empty(&thread->todo))
w=list_first_entry(&thread->todo,structbinder_work,entry);
elseif(!list_empty(&proc->todo)&&wait_for_proc_work)
w=list_first_entry(&proc->todo,structbinder_work,entry);
else{
if(ptr-buffer==4&&!(thread->looper&BINDER_LOOPER_STATE_NEED_RETURN))/*nodataadded*/
gotoretry;
break;
}
if(end-ptr<sizeof(tr)+4)
break;
switch(w->type){
......
caseBINDER_WORK_TRANSACTION_COMPLETE:{
cmd=BR_TRANSACTION_COMPLETE;
if(put_user(cmd,(uint32_t__user*)ptr))
return-EFAULT;
ptr+=sizeof(uint32_t);
binder_stat_br(proc,thread,cmd);
if(binder_debug_mask&BINDER_DEBUG_TRANSACTION_COMPLETE)
printk(KERN_INFO"binder:%d:%dBR_TRANSACTION_COMPLETE\n",
proc->pid,thread->pid);
list_del(&w->entry);
kfree(w);
binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++;
}break;
......
}
if(!t)
continue;
......
}
done:
......
return0;
}

static intbinder_thread_read(struct binder_proc *proc, struct binder_thread *thread,   void  __user *buffer, int size, signed long *consumed, int non_block){void __user *ptr = buffer + *consumed;void __user *end = buffer + size;int ret = 0;int wait_for_proc_work;if (*consumed == 0) {if (put_user(BR_NOOP, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);}retry:wait_for_proc_work = thread->transaction_stack == NULL && list_empty(&thread->todo);......if (wait_for_proc_work) {......} else {if (non_block) {if (!binder_has_thread_work(thread))ret = -EAGAIN;} elseret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread));}......while (1) {uint32_t cmd;struct binder_transaction_data tr;struct binder_work *w;struct binder_transaction *t = NULL;if (!list_empty(&thread->todo))w = list_first_entry(&thread->todo, struct binder_work, entry);else if (!list_empty(&proc->todo) && wait_for_proc_work)w = list_first_entry(&proc->todo, struct binder_work, entry);else {if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */goto retry;break;}if (end - ptr < sizeof(tr) + 4)break;switch (w->type) {......case BINDER_WORK_TRANSACTION_COMPLETE: {cmd = BR_TRANSACTION_COMPLETE;if (put_user(cmd, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);binder_stat_br(proc, thread, cmd);if (binder_debug_mask & BINDER_DEBUG_TRANSACTION_COMPLETE)printk(KERN_INFO "binder: %d:%d BR_TRANSACTION_COMPLETE\n",proc->pid, thread->pid);list_del(&w->entry);kfree(w);binder_stats.obj_deleted[BINDER_STAT_TRANSACTION_COMPLETE]++;   } break;......}if (!t)continue;......}done:......return 0;}

函数首先是写入一个操作码BR_NOOP到用户传进来的缓冲区中去。

回忆一下上面的binder_transaction函数，这里的thread->transaction_stack != NULL，并且thread->todo也不为空，所以线程不会进入休眠状态。

进入while循环中，首先是从thread->todo队列中取回待处理事项w，w的类型为BINDER_WORK_TRANSACTION_COMPLETE，这也是在binder_transaction函数里面设置的。对BINDER_WORK_TRANSACTION_COMPLETE的处理也很简单，只是把一个操作码BR_TRANSACTION_COMPLETE写回到用户传进来的缓冲区中去。这时候，用户传进来的缓冲区就包含两个操作码了，分别是BR_NOOP和BINDER_WORK_TRANSACTION_COMPLETE。

binder_thread_read执行完之后，返回到binder_ioctl函数中，将操作结果写回到用户空间中去：

[cpp] view plain copy print ?

if(copy_to_user(ubuf,&bwr,sizeof(bwr))){
ret=-EFAULT;
gotoerr;
}

if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {ret = -EFAULT;goto err;}

最后就返回到IPCThreadState::talkWithDriver函数中了。

IPCThreadState::talkWithDriver函数从下面语句：

[cpp] view plain copy print ?

ioctl(mProcess->mDriverFD,BINDER_WRITE_READ,&bwr)

ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr)

返回后，首先是清空之前写入Binder驱动程序的内容：

[cpp] view plain copy print ?

if(bwr.write_consumed>0){
if(bwr.write_consumed<(ssize_t)mOut.dataSize())
mOut.remove(0,bwr.write_consumed);
else
mOut.setDataSize(0);
}

if (bwr.write_consumed > 0) {     if (bwr.write_consumed < (ssize_t)mOut.dataSize())          mOut.remove(0, bwr.write_consumed);     else          mOut.setDataSize(0);}

接着是设置从Binder驱动程序读取的内容：

[cpp] view plain copy print ?

if(bwr.read_consumed>0){
mIn.setDataSize(bwr.read_consumed);
mIn.setDataPosition(0);
}

if (bwr.read_consumed > 0) {     mIn.setDataSize(bwr.read_consumed);     mIn.setDataPosition(0);}

然后就返回到IPCThreadState::waitForResponse去了。IPCThreadState::waitForResponse函数的处理也很简单，就是处理刚才从Binder驱动程序读入内容了。从前面的分析中，我们知道，从Binder驱动程序读入的内容就是两个整数了，分别是BR_NOOP和BR_TRANSACTION_COMPLETE。对BR_NOOP的处理很简单，正如它的名字所示，什么也不做；而对BR_TRANSACTION_COMPLETE的处理，就分情况了，如果这个请求是异步的，那个整个BC_TRANSACTION操作就完成了，如果这个请求是同步的，即要等待回复的，也就是reply不为空，那么还要继续通过IPCThreadState::talkWithDriver进入到Binder驱动程序中去等待BC_TRANSACTION操作的处理结果。

这里属于后一种情况，于是再次通过IPCThreadState::talkWithDriver进入到Binder驱动程序的binder_ioctl函数中。不过这一次在binder_ioctl函数中，bwr.write_size等于0，而bwr.read_size大于0，于是再次进入到binder_thread_read函数中。这时候thread->transaction_stack仍然不为NULL，不过thread->todo队列已经为空了，因为前面我们已经处理过thread->todo队列的内容了，于是就通过下面语句：

[cpp] view plain copy print ?

ret=wait_event_interruptible(thread->wait,binder_has_thread_work(thread));

ret = wait_event_interruptible(thread->wait, binder_has_thread_work(thread));

进入休眠状态了，等待Service Manager的唤醒。

现在，我们终于可以回到Service Manager被唤醒之后的过程了。前面我们说过，Service Manager此时正在binder_thread_read函数中休眠中：

[cpp] view plain copy print ?

staticint
binder_thread_read(structbinder_proc*proc,structbinder_thread*thread,
void__user*buffer,intsize,signedlong*consumed,intnon_block)
{
void__user*ptr=buffer+*consumed;
void__user*end=buffer+size;
intret=0;
intwait_for_proc_work;
if(*consumed==0){
if(put_user(BR_NOOP,(uint32_t__user*)ptr))
return-EFAULT;
ptr+=sizeof(uint32_t);
}
retry:
wait_for_proc_work=thread->transaction_stack==NULL&&list_empty(&thread->todo);
......
if(wait_for_proc_work){
......
if(non_block){
if(!binder_has_proc_work(proc,thread))
ret=-EAGAIN;
}else
ret=wait_event_interruptible_exclusive(proc->wait,binder_has_proc_work(proc,thread));
}else{
......
}
......
while(1){
uint32_tcmd;
structbinder_transaction_datatr;
structbinder_work*w;
structbinder_transaction*t=NULL;
if(!list_empty(&thread->todo))
w=list_first_entry(&thread->todo,structbinder_work,entry);
elseif(!list_empty(&proc->todo)&&wait_for_proc_work)
w=list_first_entry(&proc->todo,structbinder_work,entry);
else{
if(ptr-buffer==4&&!(thread->looper&BINDER_LOOPER_STATE_NEED_RETURN))/*nodataadded*/
gotoretry;
break;
}
if(end-ptr<sizeof(tr)+4)
break;
switch(w->type){
caseBINDER_WORK_TRANSACTION:{
t=container_of(w,structbinder_transaction,work);
}break;
......
}
if(!t)
continue;
BUG_ON(t->buffer==NULL);
if(t->buffer->target_node){
structbinder_node*target_node=t->buffer->target_node;
tr.target.ptr=target_node->ptr;
tr.cookie=target_node->cookie;
t->saved_priority=task_nice(current);
if(t->priority<target_node->min_priority&&
!(t->flags&TF_ONE_WAY))
binder_set_nice(t->priority);
elseif(!(t->flags&TF_ONE_WAY)||
t->saved_priority>target_node->min_priority)
binder_set_nice(target_node->min_priority);
cmd=BR_TRANSACTION;
}else{
......
}
tr.code=t->code;
tr.flags=t->flags;
tr.sender_euid=t->sender_euid;
if(t->from){
structtask_struct*sender=t->from->proc->tsk;
tr.sender_pid=task_tgid_nr_ns(sender,current->nsproxy->pid_ns);
}else{
......
}
tr.data_size=t->buffer->data_size;
tr.offsets_size=t->buffer->offsets_size;
tr.data.ptr.buffer=(void*)t->buffer->data+proc->user_buffer_offset;
tr.data.ptr.offsets=tr.data.ptr.buffer+ALIGN(t->buffer->data_size,sizeof(void*));
if(put_user(cmd,(uint32_t__user*)ptr))
return-EFAULT;
ptr+=sizeof(uint32_t);
if(copy_to_user(ptr,&tr,sizeof(tr)))
return-EFAULT;
ptr+=sizeof(tr);
......
list_del(&t->work.entry);
t->buffer->allow_user_free=1;
if(cmd==BR_TRANSACTION&&!(t->flags&TF_ONE_WAY)){
t->to_parent=thread->transaction_stack;
t->to_thread=thread;
thread->transaction_stack=t;
}else{
......
}
break;
}
done:
*consumed=ptr-buffer;
......
return0;
}

static intbinder_thread_read(struct binder_proc *proc, struct binder_thread *thread,   void  __user *buffer, int size, signed long *consumed, int non_block){void __user *ptr = buffer + *consumed;void __user *end = buffer + size;int ret = 0;int wait_for_proc_work;if (*consumed == 0) {if (put_user(BR_NOOP, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);}retry:wait_for_proc_work = thread->transaction_stack == NULL && list_empty(&thread->todo);......if (wait_for_proc_work) {......if (non_block) {if (!binder_has_proc_work(proc, thread))ret = -EAGAIN;} elseret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread));} else {......}......while (1) {uint32_t cmd;struct binder_transaction_data tr;struct binder_work *w;struct binder_transaction *t = NULL;if (!list_empty(&thread->todo))w = list_first_entry(&thread->todo, struct binder_work, entry);else if (!list_empty(&proc->todo) && wait_for_proc_work)w = list_first_entry(&proc->todo, struct binder_work, entry);else {if (ptr - buffer == 4 && !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN)) /* no data added */goto retry;break;}if (end - ptr < sizeof(tr) + 4)break;switch (w->type) {case BINDER_WORK_TRANSACTION: {t = container_of(w, struct binder_transaction, work);  } break;......}if (!t)continue;BUG_ON(t->buffer == NULL);if (t->buffer->target_node) {struct binder_node *target_node = t->buffer->target_node;tr.target.ptr = target_node->ptr;tr.cookie =  target_node->cookie;t->saved_priority = task_nice(current);if (t->priority < target_node->min_priority &&!(t->flags & TF_ONE_WAY))binder_set_nice(t->priority);else if (!(t->flags & TF_ONE_WAY) ||t->saved_priority > target_node->min_priority)binder_set_nice(target_node->min_priority);cmd = BR_TRANSACTION;} else {......}tr.code = t->code;tr.flags = t->flags;tr.sender_euid = t->sender_euid;if (t->from) {struct task_struct *sender = t->from->proc->tsk;tr.sender_pid = task_tgid_nr_ns(sender, current->nsproxy->pid_ns);} else {......}tr.data_size = t->buffer->data_size;tr.offsets_size = t->buffer->offsets_size;tr.data.ptr.buffer = (void *)t->buffer->data + proc->user_buffer_offset;tr.data.ptr.offsets = tr.data.ptr.buffer + ALIGN(t->buffer->data_size, sizeof(void *));if (put_user(cmd, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);if (copy_to_user(ptr, &tr, sizeof(tr)))return -EFAULT;ptr += sizeof(tr);......list_del(&t->work.entry);t->buffer->allow_user_free = 1;if (cmd == BR_TRANSACTION && !(t->flags & TF_ONE_WAY)) {t->to_parent = thread->transaction_stack;t->to_thread = thread;thread->transaction_stack = t;} else {......}break;}done:*consumed = ptr - buffer;......return 0;}

这里就是从语句中唤醒了：

[cpp] view plain copy print ?

ret=wait_event_interruptible_exclusive(proc->wait,binder_has_proc_work(proc,thread));

ret = wait_event_interruptible_exclusive(proc->wait, binder_has_proc_work(proc, thread));

Service Manager唤醒过来看，继续往下执行，进入到while循环中。首先是从proc->todo中取回待处理事项w。这个事项w的类型是BINDER_WORK_TRANSACTION，这是上面调用binder_transaction的时候设置的，于是通过w得到待处理事务t：

[cpp] view plain copy print ?

t=container_of(w,structbinder_transaction,work);

t = container_of(w, struct binder_transaction, work);

接下来的内容，就把cmd和t->buffer的内容拷贝到用户传进来的缓冲区去了，这里就是Service Manager从用户空间传进来的缓冲区了：

[cpp] view plain copy print ?

if(put_user(cmd,(uint32_t__user*)ptr))
return-EFAULT;
ptr+=sizeof(uint32_t);
if(copy_to_user(ptr,&tr,sizeof(tr)))
return-EFAULT;
ptr+=sizeof(tr);

if (put_user(cmd, (uint32_t __user *)ptr))return -EFAULT;ptr += sizeof(uint32_t);if (copy_to_user(ptr, &tr, sizeof(tr)))return -EFAULT;ptr += sizeof(tr);

注意，这里先是把t->buffer的内容拷贝到本地变量tr中，再拷贝到用户空间缓冲区去。关于t->buffer内容的拷贝，请参考 Android系统进程间通信（IPC）机制Binder中的Server启动过程源代码分析一文，它的一个关键地方是Binder驱动程序和Service Manager守护进程共享了同一个物理内存的内容，拷贝的只是这个物理内存在用户空间的虚拟地址回去：

[cpp] view plain copy print ?

tr.data.ptr.buffer=(void*)t->buffer->data+proc->user_buffer_offset;
tr.data.ptr.offsets=tr.data.ptr.buffer+ALIGN(t->buffer->data_size,sizeof(void*));

tr.data.ptr.buffer = (void *)t->buffer->data + proc->user_buffer_offset;tr.data.ptr.offsets = tr.data.ptr.buffer + ALIGN(t->buffer->data_size, sizeof(void *));

对于Binder驱动程序这次操作来说，这个事项就算是处理完了，就要从todo队列中删除了：

[cpp] view plain copy print ?

list_del(&t->work.entry);

list_del(&t->work.entry);

紧接着，还不放删除这个事务，因为它还要等待Service Manager处理完成后，再进一步处理，因此，放在thread->transaction_stack队列中：

[cpp] view plain copy print ?

t->to_parent=thread->transaction_stack;
t->to_thread=thread;
thread->transaction_stack=t;

t->to_parent = thread->transaction_stack;t->to_thread = thread;thread->transaction_stack = t;

还要注意的一个地方是，上面写入的cmd =BR_TRANSACTION，告诉Service Manager守护进程，它要做什么事情，后面我们会看到相应的分析。

这样，binder_thread_read函数就处理完了，回到binder_ioctl函数中，同样是操作结果写回到用户空间的缓冲区中去：

[cpp] view plain copy print ?

if(copy_to_user(ubuf,&bwr,sizeof(bwr))){
ret=-EFAULT;
gotoerr;
}

if (copy_to_user(ubuf, &bwr, sizeof(bwr))) {    ret = -EFAULT;    goto err;}

最后，就返回到frameworks/base/cmds/servicemanager/binder.c文件中的binder_loop函数去了：