Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>See if my discussion makes sense...</p> <p><a href="https://docs.google.com/document/d/10EYlyuxDw1KPy7LJlGtgMz69gwMO-pjDHS2GRtppvZg/edit?usp=sharing" rel="noreferrer">dissection of android service internal</a></p> <p>As suggested by one of the readers I am trying to copy some portion of the write-up here.</p> <p>Have you ever wondered how an app gets an handle to the system services like POWER MANAGER or ACTIVITY MANAGER or LOCATION MANAGER and several others like these. To know that I dug into the source code of Android and found out how this is done internally. So let me start from the application side’s java code.</p> <p>At the application side we have to call the function <code>getService</code> and pass the ID of the system service (say POWER_SERVICE) to get an handle to the service.</p> <p>Here is the code for <code>getService</code> defined in /frameworks/base/core/java/android/os/ServiceManager.java</p> <pre><code> /** 44 * Returns a reference to a service with the given name. 45 * 46 * @param name the name of the service to get 47 * @return a reference to the service, or &lt;code&gt;null&lt;/code&gt; if the service doesn't exist 48 */ 49 public static IBinder getService(String name) { 50 try { 51 IBinder service = sCache.get(name); 52 if (service != null) { 53 return service; 54 } else { 55 return getIServiceManager().getService(name); 56 } 57 } catch (RemoteException e) { 58 Log.e(TAG, "error in getService", e); 59 } 60 return null; 61 } </code></pre> <p>Suppose we don’t have the service in the cache. Hence we need to concentrate on line 55 <code>return getIServiceManager().getService(name);</code></p> <p>This call actually gets a handle to the service manager and asks it to return a reference of the service whose name we have passed as a parameter.</p> <p>Now let us see how the <code>getIServiceManager()</code> function returns a handle to the ServiceManager. </p> <p>Here is the code of getIserviceManager() from /frameworks/base/core/java/android/os/ServiceManager.java</p> <pre><code>private static IServiceManager getIServiceManager() { 34 if (sServiceManager != null) { 35 return sServiceManager; 36 } 37 38 // Find the service manager 39 sServiceManager = ServiceManagerNative.asInterface(BinderInternal.getContextObject()); 40 return sServiceManager; 41 } </code></pre> <p>The ServicemanagerNative.asInterface() looks like the following:</p> <pre><code>/** 28 * Cast a Binder object into a service manager interface, generating 29 * a proxy if needed. 30 */ 31 static public IServiceManager asInterface(IBinder obj) 32 { 33 if (obj == null) { 34 return null; 35 } 36 IServiceManager in = 37 (IServiceManager)obj.queryLocalInterface(descriptor); 38 if (in != null) { 39 return in; 40 } 41 42 return new ServiceManagerProxy(obj); 43 } </code></pre> <p>So basically we are getting a handle to the native servicemanager.</p> <p>This asInterface function is actually buried inside the two macros <code>DECLARE_META_INTERFACE(ServiceManager)</code> and <code>IMPLEMENT_META_INTERFACE(ServiceManager, "android.os.IServiceManager");</code> defined in IserviceManager.h and IServiceManager.cpp respectively.</p> <p>Lets delve into the two macros defined in /frameworks/base/include/binder/IInterface.h</p> <p>The <code>DECLARE_META_INTERFACE(ServiceManager)</code> macro is defined as </p> <pre class="lang-c prettyprint-override"><code>// ---------------------------------------------------------------------- 73 74#define DECLARE_META_INTERFACE(INTERFACE) \ 75 static const android::String16 descriptor; \ 76 static android::sp&lt;I##INTERFACE&gt; asInterface( \ 77 const android::sp&lt;android::IBinder&gt;&amp; obj); \ 78 virtual const android::String16&amp; getInterfaceDescriptor() const; \ 79 I##INTERFACE(); \ 80 virtual ~I##INTERFACE(); \ </code></pre> <p>And the <code>IMPLEMENT_META_INTERFACE(ServiceManager, "android.os.IServiceManager");</code> has been defined as follows:</p> <pre class="lang-c prettyprint-override"><code>#define IMPLEMENT_META_INTERFACE(INTERFACE, NAME) \ 84 const android::String16 I##INTERFACE::descriptor(NAME); \ 85 const android::String16&amp; \ 86 I##INTERFACE::getInterfaceDescriptor() const { \ 87 return I##INTERFACE::descriptor; \ 88 } \ 89 android::sp&lt;I##INTERFACE&gt; I##INTERFACE::asInterface( \ 90 const android::sp&lt;android::IBinder&gt;&amp; obj) \ 91 { \ 92 android::sp&lt;I##INTERFACE&gt; intr; \ 93 if (obj != NULL) { \ 94 intr = static_cast&lt;I##INTERFACE*&gt;( \ 95 obj-&gt;queryLocalInterface( \ 96 I##INTERFACE::descriptor).get()); \ 97 if (intr == NULL) { \ 98 intr = new Bp##INTERFACE(obj); \ 99 } \ 100 } \ 101 return intr; \ 102 } \ 103 I##INTERFACE::I##INTERFACE() { } \ 104 I##INTERFACE::~I##INTERFACE() { } </code></pre> <p>So if we replace expand these two macros in IServiceManager.h &amp; IServiceManager.cpp file with the appropriate replacement parameters they look like the following:</p> <pre class="lang-cpp prettyprint-override"><code>class IServiceManager : public IInterface { public: static const android::String16 descriptor; static android::sp&lt;IServiceManager&gt; asInterface( const android::sp&lt;android::IBinder&gt;&amp; obj); virtual const android::String16&amp; getInterfaceDescriptor() const; IServicemanager(); virtual ~IServiceManager(); …...... …..... …... ….. </code></pre> <p>And in IServiceManager.cpp</p> <pre class="lang-cpp prettyprint-override"><code>const android::String16 IServiceManager::descriptor("android.os.IServiceManager”); const android::String16&amp; IServiceManager::getInterfaceDescriptor() const { return IServiceManager::descriptor; } android::sp&lt;IServiceManager&gt; IServiceManager::asInterface( const android::sp&lt;android::IBinder&gt;&amp; obj) { android::sp&lt; IServiceManager&gt; intr; if (obj != NULL) { intr = static_cast&lt;IServiceManager*&gt;( obj-&gt;queryLocalInterface( IServiceManager::descriptor).get()); if (intr == NULL) { intr = new BpServiceManager(obj); } } return intr; } IServiceManager::IServiceManager() { } IServiceManager::~IIServiceManager { } </code></pre> <p>So if you see the line 12 which shows if the Service Manager is up and running (and it should because the service manager starts in the init process during Android boot up) it returns the reference to it through the queryLocalinterface function and it goes up all the way to the java interface.</p> <pre><code>public IBinder getService(String name) throws RemoteException { 116 Parcel data = Parcel.obtain(); 117 Parcel reply = Parcel.obtain(); 118 data.writeInterfaceToken(IServiceManager.descriptor); 119 data.writeString(name); 120 mRemote.transact(GET_SERVICE_TRANSACTION, data, reply, 0); 121 IBinder binder = reply.readStrongBinder(); 122 reply.recycle(); 123 data.recycle(); 124 return binder; 125 } </code></pre> <p>from ServiceManagerNative.java. In this function we pass the service that we are looking for.</p> <p>And the onTransact function for GET_SERVICE_TRANSACTION on the remote stub looks like the following:</p> <pre><code>public boolean onTransact(int code, Parcel data, Parcel reply, int flags) 51 { 52 try { 53 switch (code) { 54 case IServiceManager.GET_SERVICE_TRANSACTION: { 55 data.enforceInterface(IServiceManager.descriptor); 56 String name = data.readString(); 57 IBinder service = getService(name); 58 reply.writeStrongBinder(service); 59 return true; 60 } 61 62 case IServiceManager.CHECK_SERVICE_TRANSACTION: { 63 data.enforceInterface(IServiceManager.descriptor); 64 String name = data.readString(); 65 IBinder service = checkService(name); 66 reply.writeStrongBinder(service); 67 return true; 68 } 69 //Rest has been discarded for brevity………………….. …………………. …………………. ………………… </code></pre> <p>It returns the reference to the needed service through the function getService. The getService function from /frameworks/base/libs/binder/IServiceManager.cpp looks like the following:</p> <pre class="lang-cpp prettyprint-override"><code> virtual sp&lt;IBinder&gt; getService(const String16&amp; name) const 134 { 135 unsigned n; 136 for (n = 0; n &lt; 5; n++){ 137 sp&lt;IBinder&gt; svc = checkService(name); 138 if (svc != NULL) return svc; 139 LOGI("Waiting for service %s...\n", String8(name).string()); 140 sleep(1); 141 } 142 return NULL; 143 } </code></pre> <p>So it actually checks if the Service is available and then returns a reference to it. Here I would like to add that when we return a reference to an IBinder object, unlike other data types it does not get copied in the client’s address space, but it's actually the same reference of the IBinder object which is shared to the client through a special technique called object mapping in the Binder driver.</p> <p>To add more details to the discussion, let me go a little deeper into it.</p> <p>The checkService function looks like the following:</p> <pre><code>virtual sp&lt;IBinder&gt; checkService( const String16&amp; name) const { Parcel data, reply; data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor()); data.writeString16(name); remote()-&gt;transact(CHECK_SERVICE_TRANSACTION, data, &amp;reply); return reply.readStrongBinder(); } </code></pre> <p>So it actually calls a remote service and pass CHECK_SERVICE_TRANSACTION code (its an enum value of 2) to it.</p> <p>This remote service is actually implemented in frameworks/base/cmds/servicemanager/service_manager.c and its onTransact looks like the following.</p> <pre><code>switch(txn-&gt;code) { case SVC_MGR_GET_SERVICE: case SVC_MGR_CHECK_SERVICE: s = bio_get_string16(msg, &amp;len); ptr = do_find_service(bs, s, len); if (!ptr) break; bio_put_ref(reply, ptr); return 0; </code></pre> <p>Hence we end up calling the function named do_find_service which gets a reference to the service and returns it back.</p> <p>The do_find_service from the same file looks as follows: </p> <pre><code>void *do_find_service(struct binder_state *bs, uint16_t *s, unsigned len) { struct svcinfo *si; si = find_svc(s, len); // ALOGI("check_service('%s') ptr = %p\n", str8(s), si ? si-&gt;ptr : 0); if (si &amp;&amp; si-&gt;ptr) { return si-&gt;ptr; } else { return 0; } </code></pre> <p>find_svc looks as follows:</p> <pre><code>struct svcinfo *find_svc(uint16_t *s16, unsigned len) { struct svcinfo *si; for (si = svclist; si; si = si-&gt;next) { if ((len == si-&gt;len) &amp;&amp; !memcmp(s16, si-&gt;name, len * sizeof(uint16_t))) { return si; } } return 0; } </code></pre> <p>As it becomes clear that it traverses through the svclist and returns the the service we are looking for.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload