Android Service繫結過程完整分析

Android Service繫結過程完整分析
1 Star2 Stars3 Stars4 Stars5 Stars 給文章打分!
Loading...

通常我們使用Service都要和它通訊,當想要與Service通訊的時候,那麼Service要處於繫結狀態的。然後客戶端可以拿到一個Binder與服務端進行通訊,這個過程是很自然的。

那你真的瞭解過Service的繫結過程嗎?為什麼可以是Binder和Service通訊?
同樣的先看一張圖大致瞭解一下,灰色背景框起來的是同一個類的方法,如下:

我們知道呼叫Context的bindService方法即可繫結一個Service,而ContextImpl是Context的實現類。那接下來就從原始碼的角度分析Service的繫結過程。

當然是從ContextImpl的bindService方法開始,如下:


@Override
public boolean bindService(Intent service, ServiceConnection conn,
int flags) {
warnIfCallingFromSystemProcess();
return bindServiceCommon(service, conn, flags, mMainThread.getHandler(),
Process.myUserHandle());
}

在bindService方法中又會轉到bindServiceCommon方法,將Intent,ServiceConnection物件傳進。

那就看看bindServiceCommon方法的實現。


private boolean bindServiceCommon(Intent service, ServiceConnection conn, int flags, Handler
handler, UserHandle user) {
IServiceConnection sd;
if (conn == null) {
throw new IllegalArgumentException("connection is null");
}
if (mPackageInfo != null) {
sd = mPackageInfo.getServiceDispatcher(conn, getOuterContext(), handler, flags);
} else {
throw new RuntimeException("Not supported in system context");
}
validateServiceIntent(service);
try {
IBinder token = getActivityToken();
if (token == null && (flags&BIND_AUTO_CREATE) == 0 && mPackageInfo != null
&& mPackageInfo.getApplicationInfo().targetSdkVersion
< android.os.Build.VERSION_CODES.ICE_CREAM_SANDWICH) {
flags |= BIND_WAIVE_PRIORITY;
}
service.prepareToLeaveProcess(this);
int res = ActivityManagerNative.getDefault().bindService(
mMainThread.getApplicationThread(), getActivityToken(), service,
service.resolveTypeIfNeeded(getContentResolver()),
sd, flags, getOpPackageName(), user.getIdentifier());
if (res < 0) {
throw new SecurityException(
"Not allowed to bind to service "   service);
}
return res != 0;
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
}

在上述程式碼中,呼叫了mPackageInfo(LoadedApk物件)的getServiceDispatcher方法。從getServiceDispatcher方法的名字可以看出是獲取一個“服務分發者”。其實是根據這個“服務分發者”獲取到一個Binder物件的。

那現在就看到getServiceDispatcher方法的實現。


public final IServiceConnection getServiceDispatcher(ServiceConnection c,
Context context, Handler handler, int flags) {
synchronized (mServices) {
LoadedApk.ServiceDispatcher sd = null;
ArrayMap<ServiceConnection, LoadedApk.ServiceDispatcher> map = mServices.get(context);
if (map != null) {
sd = map.get(c);
}
if (sd == null) {
sd = new ServiceDispatcher(c, context, handler, flags);
if (map == null) {
map = new ArrayMap<ServiceConnection, LoadedApk.ServiceDispatcher>();
mServices.put(context, map);
}
map.put(c, sd);
} else {
sd.validate(context, handler);
}
return sd.getIServiceConnection();
}
}

從getServiceDispatcher方法的實現可以知道,ServiceConnection和ServiceDispatcher構成了對映關係。當儲存集合不為空的時候,根據傳進的key,也就是ServiceConnection,來取出對應的ServiceDispatcher物件。
當取出ServiceDispatcher物件後,最後一行程式碼是關鍵,

return sd.getIServiceConnection();

呼叫了ServiceDispatcher物件的getIServiceConnection方法。這個方法肯定是獲取一個IServiceConnection的。


IServiceConnection getIServiceConnection() {
return mIServiceConnection;
}

那麼mIServiceConnection是什麼?現在就可以來看下ServiceDispatcher類了。ServiceDispatcher是LoadedApk的內部類,裡面封裝了InnerConnection和ServiceConnection。如下:


static final class ServiceDispatcher {
private final ServiceDispatcher.InnerConnection mIServiceConnection;
private final ServiceConnection mConnection;
private final Context mContext;
private final Handler mActivityThread;
private final ServiceConnectionLeaked mLocation;
private final int mFlags;
private RuntimeException mUnbindLocation;
private boolean mForgotten;
private static class ConnectionInfo {
IBinder binder;
IBinder.DeathRecipient deathMonitor;
}
private static class InnerConnection extends IServiceConnection.Stub {
final WeakReference<LoadedApk.ServiceDispatcher> mDispatcher;
InnerConnection(LoadedApk.ServiceDispatcher sd) {
mDispatcher = new WeakReference<LoadedApk.ServiceDispatcher>(sd);
}
public void connected(ComponentName name, IBinder service) throws RemoteException {
LoadedApk.ServiceDispatcher sd = mDispatcher.get();
if (sd != null) {
sd.connected(name, service);
}
}
}
private final ArrayMap<ComponentName, ServiceDispatcher.ConnectionInfo> mActiveConnections
= new ArrayMap<ComponentName, ServiceDispatcher.ConnectionInfo>();
ServiceDispatcher(ServiceConnection conn,
Context context, Handler activityThread, int flags) {
mIServiceConnection = new InnerConnection(this);
mConnection = conn;
mContext = context;
mActivityThread = activityThread;
mLocation = new ServiceConnectionLeaked(null);
mLocation.fillInStackTrace();
mFlags = flags;
}
//程式碼省略
}

先看到ServiceDispatcher的構造方法,一個ServiceDispatcher關聯一個InnerConnection物件。而InnerConnection呢?,它是一個Binder,有一個很重要的connected方法。至於為什麼要用Binder,因為與Service通訊可能是跨程序的。

好,到了這裡先總結一下:呼叫bindService方法繫結服務,會轉到bindServiceCommon方法。
在bindServiceCommon方法中,會呼叫LoadedApk的getServiceDispatcher方法,並將ServiceConnection傳進, 根據這個ServiceConnection取出與其對映的ServiceDispatcher物件,最後呼叫這個ServiceDispatcher物件的getIServiceConnection方法獲取與其關聯的InnerConnection物件並返回。簡單點理解就是用ServiceConnection換來了InnerConnection。

現在回到bindServiceCommon方法,可以看到繫結Service的過程會轉到ActivityManagerNative.getDefault()的bindService方法,其實從丟擲的異常型別RemoteException也可以知道與Service通訊可能是跨程序的,這個是很好理解的。

而ActivityManagerNative.getDefault()是ActivityManagerService,那麼繼續跟進ActivityManagerService的bindService方法即可,如下:


public int bindService(IApplicationThread caller, IBinder token, Intent service,
String resolvedType, IServiceConnection connection, int flags, String callingPackage,
int userId) throws TransactionTooLargeException {
enforceNotIsolatedCaller("bindService");
// Refuse possible leaked file descriptors
if (service != null && service.hasFileDescriptors() == true) {
throw new IllegalArgumentException("File descriptors passed in Intent");
}
if (callingPackage == null) {
throw new IllegalArgumentException("callingPackage cannot be null");
}
synchronized(this) {
return mServices.bindServiceLocked(caller, token, service,
resolvedType, connection, flags, callingPackage, userId);
}
}

在上述程式碼中,繫結Service的過程轉到ActiveServices的bindServiceLocked方法,那就跟進ActiveServices的bindServiceLocked方法瞧瞧。如下:


int bindServiceLocked(IApplicationThread caller, IBinder token, Intent service,
String resolvedType, final IServiceConnection connection, int flags,
String callingPackage, final int userId) throws TransactionTooLargeException {
//程式碼省略
ConnectionRecord c = new ConnectionRecord(b, activity,
connection, flags, clientLabel, clientIntent);
IBinder binder = connection.asBinder();
ArrayList<ConnectionRecord> clist = s.connections.get(binder);
if (clist == null) {
clist = new ArrayList<ConnectionRecord>();
s.connections.put(binder, clist);
}
clist.add(c);
//程式碼省略
if ((flags&Context.BIND_AUTO_CREATE) != 0) {
s.lastActivity = SystemClock.uptimeMillis();
if (bringUpServiceLocked(s, service.getFlags(), callerFg, false,
permissionsReviewRequired) != null) {
return 0;
}
}
//程式碼省略
return 1;
}

將connection物件封裝在ConnectionRecord中,這裡的connection就是上面提到的InnerConnection物件。這一步很重要的。

然後呼叫了bringUpServiceLocked方法,那麼就探探這個bringUpServiceLocked方法,


private String bringUpServiceLocked(ServiceRecord r, int intentFlags, boolean execInFg,
boolean whileRestarting, boolean permissionsReviewRequired)
throws TransactionTooLargeException {
//程式碼省略
if (app != null && app.thread != null) {
try {
app.addPackage(r.appInfo.packageName, r.appInfo.versionCode, mAm.mProcessStats);
realStartServiceLocked(r, app, execInFg);
return null;
} catch (TransactionTooLargeException e) {
throw e;
} catch (RemoteException e) {
Slog.w(TAG, "Exception when starting service "   r.shortName, e);
}
// If a dead object exception was thrown -- fall through to
// restart the application.
}
//程式碼省略
return null;
}

可以看到呼叫了realStartServiceLocked方法,真正去啟動Service了。

那麼跟進realStartServiceLocked方法探探,如下:


private final void realStartServiceLocked(ServiceRecord r,
ProcessRecord app, boolean execInFg) throws RemoteException {
//程式碼省略
app.thread.scheduleCreateService(r, r.serviceInfo,
mAm.compatibilityInfoForPackageLocked(r.serviceInfo.applicationInfo),
app.repProcState);
r.postNotification();
created = true;
//程式碼省略
requestServiceBindingsLocked(r, execInFg);
updateServiceClientActivitiesLocked(app, null, true);
// If the service is in the started state, and there are no
// pending arguments, then fake up one so its onStartCommand() will
// be called.
if (r.startRequested && r.callStart && r.pendingStarts.size() == 0) {
r.pendingStarts.add(new ServiceRecord.StartItem(r, false, r.makeNextStartId(),
null, null));
}
sendServiceArgsLocked(r, execInFg, true);
//程式碼省略
}

這裡會呼叫app.thread的scheduleCreateService方法去建立一個Service,然後會回撥Service的生命週期方法,然而繫結Service呢?
在上述程式碼中,找到一個requestServiceBindingsLocked方法,從名字看是請求繫結服務的意思,那麼就是它沒錯了。


private final void requestServiceBindingsLocked(ServiceRecord r, boolean execInFg)
throws TransactionTooLargeException {
for (int i=r.bindings.size()-1; i>=0; i--) {
IntentBindRecord ibr = r.bindings.valueAt(i);
if (!requestServiceBindingLocked(r, ibr, execInFg, false)) {
break;
}
}
}

咦,我再按住Ctrl 滑鼠左鍵,點進去requestServiceBindingLocked方法。如下:


private final boolean requestServiceBindingLocked(ServiceRecord r, IntentBindRecord i,
boolean execInFg, boolean rebind) throws TransactionTooLargeException {
if (r.app == null || r.app.thread == null) {
// If service is not currently running, can't yet bind.
return false;
}
if ((!i.requested || rebind) && i.apps.size() > 0) {
try {
bumpServiceExecutingLocked(r, execInFg, "bind");
r.app.forceProcessStateUpTo(ActivityManager.PROCESS_STATE_SERVICE);
r.app.thread.scheduleBindService(r, i.intent.getIntent(), rebind,
r.app.repProcState);
if (!rebind) {
i.requested = true;
}
i.hasBound = true;
i.doRebind = false;
}
//程式碼省略
return true;
}

r.app.thread呼叫了scheduleBindService方法來繫結服務,而r.app.thread是ApplicationThread,現在關注到 ApplicationThread即可,scheduleBindService方法如下:


public final void scheduleBindService(IBinder token, Intent intent,
boolean rebind, int processState) {
updateProcessState(processState, false);
BindServiceData s = new BindServiceData();
s.token = token;
s.intent = intent;
s.rebind = rebind;
if (DEBUG_SERVICE)
Slog.v(TAG, "scheduleBindService token="   token   " intent="   intent   " uid="
Binder.getCallingUid()   " pid="   Binder.getCallingPid());
sendMessage(H.BIND_SERVICE, s);
}

封裝了待繫結的Service的資訊,併傳送了一個訊息給主執行緒,


public void handleMessage(Message msg) {
if (DEBUG_MESSAGES) Slog.v(TAG, ">>> handling: "   codeToString(msg.what));
switch (msg.what) {
//程式碼省略
case BIND_SERVICE:
Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "serviceBind");
handleBindService((BindServiceData)msg.obj);
Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
break;
//程式碼省略
}
}

呼叫了handleBindService方法,即將繫結完成啦。


private void handleBindService(BindServiceData data) {
Service s = mServices.get(data.token);
if (DEBUG_SERVICE)
Slog.v(TAG, "handleBindService s="   s   " rebind="   data.rebind);
if (s != null) {
try {
data.intent.setExtrasClassLoader(s.getClassLoader());
data.intent.prepareToEnterProcess();
try {
if (!data.rebind) {
IBinder binder = s.onBind(data.intent);
ActivityManagerNative.getDefault().publishService(
data.token, data.intent, binder);
} else {
s.onRebind(data.intent);
ActivityManagerNative.getDefault().serviceDoneExecuting(
data.token, SERVICE_DONE_EXECUTING_ANON, 0, 0);
}
ensureJitEnabled();
} catch (RemoteException ex) {
throw ex.rethrowFromSystemServer();
}
} catch (Exception e) {
if (!mInstrumentation.onException(s, e)) {
throw new RuntimeException(
"Unable to bind to service "   s
" with "   data.intent   ": "   e.toString(), e);
}
}
}
}

根據token獲取到Service,然後Service回撥onBind方法。結束了?

可是onBind方法返回了一個binder是用來幹嘛的?
我們再看看ActivityManagerNative.getDefault()呼叫了publishService方法做了什麼工作,此時又回到了ActivityManagerService。


public void publishService(IBinder token, Intent intent, IBinder service) {
// Refuse possible leaked file descriptors
if (intent != null && intent.hasFileDescriptors() == true) {
throw new IllegalArgumentException("File descriptors passed in Intent");
}
synchronized(this) {
if (!(token instanceof ServiceRecord)) {
throw new IllegalArgumentException("Invalid service token");
}
mServices.publishServiceLocked((ServiceRecord)token, intent, service);
}
}

又會交給ActiveServices處理,轉到了publishServiceLocked方法,那看到ActiveServices的publishServiceLocked方法,


void publishServiceLocked(ServiceRecord r, Intent intent, IBinder service) {
final long origId = Binder.clearCallingIdentity();
try {
if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "PUBLISHING "   r
" "   intent   ": "   service);
if (r != null) {
Intent.FilterComparison filter
= new Intent.FilterComparison(intent);
IntentBindRecord b = r.bindings.get(filter);
if (b != null && !b.received) {
b.binder = service;
b.requested = true;
b.received = true;
for (int conni=r.connections.size()-1; conni>=0; conni--) {
ArrayList<ConnectionRecord> clist = r.connections.valueAt(conni);
for (int i=0; i<clist.size(); i  ) {
ConnectionRecord c = clist.get(i);
if (!filter.equals(c.binding.intent.intent)) {
if (DEBUG_SERVICE) Slog.v(
TAG_SERVICE, "Not publishing to: "   c);
if (DEBUG_SERVICE) Slog.v(
TAG_SERVICE, "Bound intent: "   c.binding.intent.intent);
if (DEBUG_SERVICE) Slog.v(
TAG_SERVICE, "Published intent: "   intent);
continue;
}
if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "Publishing to: "   c);
try {
c.conn.connected(r.name, service);
}
//程式碼省略
}

c.conn是什麼? 它是一個InnerConnection物件,對,就是那個那個Binder,上面也貼出了程式碼,在ActiveServices的bindServiceLocked方法中,InnerConnection物件被封裝在ConnectionRecord中。那麼現在它呼叫了connected方法,就很好理解了。

InnerConnection的connected方法如下:


public void connected(ComponentName name, IBinder service) throws RemoteException {
LoadedApk.ServiceDispatcher sd = mDispatcher.get();
if (sd != null) {
sd.connected(name, service);
}
}

會呼叫ServiceDispatcher 的connected方法,如下


public void connected(ComponentName name, IBinder service) {
if (mActivityThread != null) {
mActivityThread.post(new RunConnection(name, service, 0));
} else {
doConnected(name, service);
}
}

從而ActivityThread會投遞一個訊息到主執行緒,此時就解決了跨程序通訊。
那麼你應該猜到了RunConnection一定有在主執行緒回撥的onServiceConnected方法,


private final class RunConnection implements Runnable {
RunConnection(ComponentName name, IBinder service, int command) {
mName = name;
mService = service;
mCommand = command;
}
public void run() {
if (mCommand == 0) {
doConnected(mName, mService);
} else if (mCommand == 1) {
doDeath(mName, mService);
}
}
final ComponentName mName;
final IBinder mService;
final int mCommand;
}

咦,還不出現?繼續跟進doConnected方法,


public void doConnected(ComponentName name, IBinder service) {
ServiceDispatcher.ConnectionInfo old;
ServiceDispatcher.ConnectionInfo info;
synchronized (this) {
if (mForgotten) {
// We unbound before receiving the connection; ignore
// any connection received.
return;
}
old = mActiveConnections.get(name);
if (old != null && old.binder == service) {
// Huh, already have this one. Oh well!
return;
}
if (service != null) {
// A new service is being connected... set it all up.
info = new ConnectionInfo();
info.binder = service;
info.deathMonitor = new DeathMonitor(name, service);
try {
service.linkToDeath(info.deathMonitor, 0);
mActiveConnections.put(name, info);
} catch (RemoteException e) {
// This service was dead before we got it... just
// don't do anything with it.
mActiveConnections.remove(name);
return;
}
} else {
// The named service is being disconnected... clean up.
mActiveConnections.remove(name);
}
if (old != null) {
old.binder.unlinkToDeath(old.deathMonitor, 0);
}
}
// If there was an old service, it is not disconnected.
if (old != null) {
mConnection.onServiceDisconnected(name);
}
// If there is a new service, it is now connected.
if (service != null) {
mConnection.onServiceConnected(name, service);
}
}

在最後一個if判斷,終於找到了onServiceConnected方法!

總結一下,當Service回撥onBind方法,其實還沒有結束,會轉到ActivityManagerService,然後又會在ActiveServices的publishServiceLocked方法中,從ConnectionRecord中取出InnerConnection物件。有了InnerConnection物件後,就回撥了它的connected。在InnerConnection的connected方法中,又會呼叫ServiceDispatcher的connected方法,在ServiceDispatcher的connected方法向主執行緒扔了一個訊息,切換到了主執行緒,之後就在主執行緒中回撥了客戶端傳進的ServiceConnected物件的onServiceConnected方法。

至此, Service的繫結過程分析完畢。

相關文章

Android 開發 最新文章