Haifeng Li, profile picture
Uploaded byHaifeng Li
PDF, PPTX1,098 views

Understanding binder in android

Binder is an inter-process communication system used in Android to allow processes to interact. It uses a client-server model where a client contacts a service via its binder handle. Data is packaged into a parcel and sent to the kernel binder driver via ioctl calls. The driver then delivers the transaction to the target service's thread to be processed by its stub and dispatched to the actual service code.

Embed presentation

Download as PDF, PPTX
Understanding Binder in Android Haifeng Li 2014-9-2
Outline •Background –What is Binder –Binder Communication Model –Terminology –Binder Software Stack •Client(user space) •Binder driver (Kernel Space) •Service(user space)
Background •What is Binder? –An Inter-process communication system for developing object-oriented OS services. clientserverData
Binder Communication Model User SpaceKernel SpaceCclientserviceBinder Driverioctl/open/...ioctl/open/... mInmOutioctl/open/... mInmOutmInmOutService Manager/system/bin/servicemanagerCGet ServiceAdd ServiceService 1 – handle 1Service 2 – handle 2...
Terminology •Service Handle •Remote Binder •Local Binder •Binder node •Binder reference •Service Manager(Context Manager) –It’s handle is 0 in all binder client and server. Binder DriverRemote Binder/HandleLocal BinderBinder NodeBinder ref.
IPC Software Stack App1 service Proxy(BpBinder) Stub(BnBinder) IPCThreadState IPCThreadState Binder Module User Space Kernel Space Client Server 1 2 3 4 5 6 1. BpBinder(n) -> transact(OP, data, &reply) 2. IPCThreadState::transact(handle, OP, data, reply) 3. ioctl(binder_fd, BINDER_OPERATION, &bwr) 4. IPCThreadState::getAndExecuteCommand() 5. Bnxxx::onTransact(OP, data, reply)
Client(user space) • Initialization – Call system call open(), which is binder_open in kernel. Open /dev/binder file and get a file description. Create some key data structures. – mmap 1MB-8KB virtual space for data transaction by binder_mmap in kernel. • Get handle of service from service manager • Sent request to Service by BpBinder(handle) • Data transact to kernel by IPCThreadState. App1 service Proxy(BpBinder) Stub(BnBinder) IPCThreadState IPCThreadState Binder Module User Space Kernel Space Client Server 1 2 3 4 5 6
Data Transaction in Client(1) •Package in Client 102 virtual void Client::Foo(int32_t push_data) { 103 Parcel data, reply; 104 data.writeInterfaceToken(IDemo::getInterfaceDescriptor()); 105 data.writeInt32(push_data);//writeStrongBinder(service) 109 110 remote()->transact(OP, data, &reply); Parcel...flat_binder_objectmDataflat_binder_objectmObjectsService
Data Transaction in Client(2) •Packaged to binder_transaction_data IPCThreadState::writeTransactionData(int32_t cmd, …, int32_t handle, uint32_t code, const Parcel& data…) •cmd will add to mData.(BC_TRANSACTION, BC_REPLY,… Binder Command) •Target: target handle •Cookie: will be define according to handle in binder driver •Code: Operation of client. •Offsets could help the binder driver to process binder object reference. Parcel...flat_binder_objectmDataflat_binder_objectmObjectstargetcookiecode... data.ptr.bufferdata.ptr.offsets... binder_transaction_data
Data Transaction in Client(3) •Binder Command(User->Driver) –Binder Thread Support: BC_REGISTER_LOOPER, BC_ENTER LOOPER,BC_EXIT_LOOPER –Binder Transactions: BC_TRANSACTION, BC_REPLY –Further Mechanism: BC_INCREFS, BC_RELEASE , BC_DECREFS, BC_REQUEST_DEATH_NOTIFICIATION, BC_CLEAR_DEATH_NOTIFICATION, BC_DEAD_BINDER_DONE,… •Binder Return Command (Driver -> User) –Binder Thread Support: BR_SPAWN_LOOPER –Binder Transactions: BR_TRANSACTION, BR_REPLY –Further Mechanism: BR_INCREFS,BR_ACQUIRE, BR_RELEASE , BR_DECREFS, BR_CLEAR_DEATH_NOTIFICATION_DONE, … ClientServerDriverBC_TRANSACTIONBR_TRANSACTIONBC_REPLYBR_REPLYBC_FREE_BUFFERBC_FREE_BUFFER
Data Transaction in Client(4) •Repackage to Parcel(mOut) •Each working thread has two parcel: mOut and mIn. mOut is for write buffer, mIn for read buffer. Parcelcmdbinder_transactin_datamDatawrite_sizeWrite_bufferRead_sizeRead_bufferbinder_write_read
Outline •Background •Client(user space) •Binder driver (Kernel Space) •Service(user space) App1 service Proxy(BpBinder) Stub(BnBinder) IPCThreadState IPCThreadState Binder Module User Space Kernel Space Client Server 1 2 3 4 5 6
Binder Driver:Binder Protocol •The protocol used for ioctl() system call. –BINDER_WRITE_READ –BINDER_SET_MAX_THREADS –BINDER_SET_CONTEXT_MGR –BINDER_THREAD_EXIT –BINDER_VERSION –BINDER_SET_IDLE_TIMEOUT
Key Data Structure (1) Binder Driver Process 1 Process 2 Process 3 binder_proc binder_proc binder_proc threads node refs_by_desc refs_by_node • The binder_proc is mapped to process by 1:1. It is created on binder_open(). • All binder_proc are listed in binder_procs. • The binder_proc has 4 red-black tree. • The binder_thread represents a working thread, inserted into threads rbtree. • The binder_node represents a service, inserted into node rbtree. • refs_by_desc and refs_by_node represent reference to a proc_node.
Key Data Structure (2) User spaceKernel spaceBpBinderRemote BinderBBinderLocal Binderbinder_procnoderefs_by_nodebinder_procnoderefs_by_nodebinder_refbinder_node
Key Data Structure (3) ... todothreadbinder_procbinder_threadtodobinder_workbinder_workbinder_workbinder_work... ... binder_transactionbinder_transaction
Input Data Format ParcelParcelwrite_sizewrite_bufferread_sizeread_bufferbinder_write_readbufferdata_sizeoffsets... binder_transaction_datacodecookiehandleoffset 1offset 2... ... flat_binder_objectflat_binder_objectBC_TRANSACTIONBC_XXXXxxx data structmOut... headIPCThreadStateClient
Transaction in Binder – Client (1) 1. Copy binder_write_read from user space 2. Copy xxx data to kernel space. Iterate the items: ① Get Binder command from write_buffer(BC_XXX). ② Get target thread/proc/node by handle. ③ Allocate binder_buffer from target space, and copy effective data. ④ Build a session(build_transaction). ⑤ Mount the session to target_thread’s todo list. ⑥ Mount a BINDER_WORK_TRANSACTION_COMPLETE binder_work to source thread ⑦ Wake up corresponding thread. Parcel Parcel write_size write_buffer read_size read_buffer binder_write_read buffer data_size offsets ... binder_transaction_data code cookie handle offset 1 offset 2 ... ... flat_binder_object flat_binder_object BC_TRANSACTION BC_XXX Xxxx data struct mOut ... head IPCThreadState Client 1 2 ① ② ③
Transaction in Binder –Client (2) Target SpacedataCopyParcelParcelwrite_sizewrite_bufferread_sizeread_bufferbinder_write_readbufferdata_sizeoffsets... binder_transaction_datacodecookiehandleoffset 1offset 2... ... flat_binder_objectflat_binder_objectBC_TRANSACTIONBC_XXXXxxx data structmOut... headIPCThreadStateClientbufferpriorityoffsetssender_euidbinder_transactioncodeto_threadto_procdata... offsets_sizedata_sizetarget_nodebinder_bufferOffsets[] Copy
Transaction in Binder -- Server 1.Server thread wake up and get a binder_work(binder_transaction) from todo list 2.Build a binder_transaction_data from binder_transaction 3.Set priority of current thread of client. 4.The buffer and offsets will be virtual address –Virtual address = kernel address + address offset 5.Copy binder_transaction_data to mIn 6.Return from kernel 7.IPCThreadState iternate the command and data. –For BR_TRANSACTION, call stub’s onTransact function, which will call server service function finally. Target Spacedatabufferpriorityoffsetssender_euidbinder_transactioncodeto_threadto_procdata... offsets_sizedata_sizetarget_nodebinder_bufferOffsets[] bufferdata_sizeoffsets... binder_transaction_datacodecookiehandle Kernel Space write_sizewrite_bufferread_sizeread_bufferbinder_write_readParcelmInBR_NOOPDatabinder_transaction_dataBR_TRANSACTIONCopy to user User Space
Transaction stack(1) •The stack is for recording transaction session. •Commonly, to_parent and from_parent is null. But, when the transaction rely on other session, what will happen? –The session in B will lost. A(list_head)todoBinder_thread BBinder_thread transaction_stackwait queue... (list_head)todotransaction_stackwait queue... to_parentfrom_parent... sender_euidbinder_transaction... to_threadtodo
Transaction stack(2) •For example, A -> B, B->C, C->A
Binder Workflow

More Related Content

PPTX
Android AIDL Concept
byCharile Tsai
 
PPTX
Android Binder: Deep Dive
byZafar Shahid, PhD
 
PPTX
Binder: Android IPC
byShaul Rosenzwieg
 
PDF
Android IPC Mechanism
byNational Cheng Kung University
 
PPTX
Overview of Android binder IPC implementation
byChethan Pchethan
 
PDF
Android Binder IPC for Linux
byYu-Hsin Hung
 
PDF
Low Level View of Android System Architecture
byNational Cheng Kung University
 
ODP
Android crash debugging
byAshish Agrawal
 
Android AIDL Concept
byCharile Tsai
 
Android Binder: Deep Dive
byZafar Shahid, PhD
 
Binder: Android IPC
byShaul Rosenzwieg
 
Android IPC Mechanism
byNational Cheng Kung University
 
Overview of Android binder IPC implementation
byChethan Pchethan
 
Android Binder IPC for Linux
byYu-Hsin Hung
 
Low Level View of Android System Architecture
byNational Cheng Kung University
 
Android crash debugging
byAshish Agrawal
 

What's hot

PDF
Explore Android Internals
byNational Cheng Kung University
 
PDF
Embedded Android : System Development - Part IV (Android System Services)
byEmertxe Information Technologies Pvt Ltd
 
PDF
The Android graphics path, in depth
byChris Simmonds
 
PDF
Design and Concepts of Android Graphics
byNational Cheng Kung University
 
PPTX
Aidl service
byAnjan Debnath
 
PPTX
Android graphic system (SurfaceFlinger) : Design Pattern's perspective
byBin Chen
 
PPT
Android JNI
bySiva Ramakrishna kv
 
PDF
Android Things : Building Embedded Devices
byEmertxe Information Technologies Pvt Ltd
 
ODP
Inter-process communication of Android
byTetsuyuki Kobayashi
 
PDF
Android Boot Time Optimization
byKan-Ru Chen
 
PPT
Learning AOSP - Android Booting Process
byNanik Tolaram
 
PDF
Project meeting: Android Graphics Architecture Overview
byYu-Hsin Hung
 
PDF
Android binder introduction
byDerek Fang
 
ODP
Embedded Android : System Development - Part III
byEmertxe Information Technologies Pvt Ltd
 
PDF
Embedded Android : System Development - Part IV
byEmertxe Information Technologies Pvt Ltd
 
PDF
Embedded Android : System Development - Part II (HAL)
byEmertxe Information Technologies Pvt Ltd
 
PDF
Android's Multimedia Framework
byOpersys inc.
 
PDF
Scheduling in Android
byOpersys inc.
 
ODP
SR-IOV Introduce
byLingfei Kong
 
PDF
Android's HIDL: Treble in the HAL
byOpersys inc.
 
Explore Android Internals
byNational Cheng Kung University
 
Embedded Android : System Development - Part IV (Android System Services)
byEmertxe Information Technologies Pvt Ltd
 
The Android graphics path, in depth
byChris Simmonds
 
Design and Concepts of Android Graphics
byNational Cheng Kung University
 
Aidl service
byAnjan Debnath
 
Android graphic system (SurfaceFlinger) : Design Pattern's perspective
byBin Chen
 
Android JNI
bySiva Ramakrishna kv
 
Android Things : Building Embedded Devices
byEmertxe Information Technologies Pvt Ltd
 
Inter-process communication of Android
byTetsuyuki Kobayashi
 
Android Boot Time Optimization
byKan-Ru Chen
 
Learning AOSP - Android Booting Process
byNanik Tolaram
 
Project meeting: Android Graphics Architecture Overview
byYu-Hsin Hung
 
Android binder introduction
byDerek Fang
 
Embedded Android : System Development - Part III
byEmertxe Information Technologies Pvt Ltd
 
Embedded Android : System Development - Part IV
byEmertxe Information Technologies Pvt Ltd
 
Embedded Android : System Development - Part II (HAL)
byEmertxe Information Technologies Pvt Ltd
 
Android's Multimedia Framework
byOpersys inc.
 
Scheduling in Android
byOpersys inc.
 
SR-IOV Introduce
byLingfei Kong
 
Android's HIDL: Treble in the HAL
byOpersys inc.
 

Viewers also liked

PDF
Understanding Monitor in Dalvik
byHaifeng Li
 
PDF
Understanding DLmalloc
byHaifeng Li
 
PDF
Understanding Semi-Space Garbage Collector in ART
byHaifeng Li
 
PDF
Process Scheduler and Balancer in Linux Kernel
byHaifeng Li
 
PDF
Understanding SLAB in Linux Kernel
byHaifeng Li
 
PDF
AARCH64 VMSA Under Linux Kernel
byHaifeng Li
 
Understanding Monitor in Dalvik
byHaifeng Li
 
Understanding DLmalloc
byHaifeng Li
 
Understanding Semi-Space Garbage Collector in ART
byHaifeng Li
 
Process Scheduler and Balancer in Linux Kernel
byHaifeng Li
 
Understanding SLAB in Linux Kernel
byHaifeng Li
 
AARCH64 VMSA Under Linux Kernel
byHaifeng Li
 

Similar to Understanding binder in android

PDF
Binding android piece by piece
byBucharest Java User Group
 
PDF
Android IPC Mechanism
byLihan Chen
 
PDF
June 2014 - IPC in android
byBlrDroid
 
PPTX
Inter Process Communication (IPC) in Android
byMalwinder Singh
 
PDF
Android ipm 20110409
byTetsuyuki Kobayashi
 
PDF
Highload++2014: 1Hippeus - zerocopy messaging in the spirit of Sparta!
byLeonid Yuriev
 
PPTX
IPC: AIDL is not a curse
byYonatan Levin
 
PDF
1Hippeus - zerocopy messaging по законам Спарты, Леонид Юрьев (ПЕТЕР-СЕРВИС)
byOntico
 
PPTX
Ipc: aidl sexy, not a curse
byYonatan Levin
 
PPTX
IPC: AIDL is sexy, not a curse
byYonatan Levin
 
PDF
Android framework design and development
byramalinga prasad tadepalli
 
PDF
ebpf and IO Visor: The What, how, and what next!
byAffan Syed
 
PDF
Android internals 06 - Binder, Typical subsystem (rev_1.1)
byEgor Elizarov
 
PPTX
9 services
byAjayvorar
 
PPTX
Android service, aidl - day 1
byUtkarsh Mankad
 
PPT
Service oriented component model
byravindrareddy
 
PDF
Reinventing the wheel: libmc
byMyautsai PAN
 
PPTX
Netty Notes Part 2 - Transports and Buffers
byRick Hightower
 
PDF
Performance evaluation of Android IPC
by承剛 謝
 
PDF
UA Mobile 2012 (English)
bydmalykhanov
 
Binding android piece by piece
byBucharest Java User Group
 
Android IPC Mechanism
byLihan Chen
 
June 2014 - IPC in android
byBlrDroid
 
Inter Process Communication (IPC) in Android
byMalwinder Singh
 
Android ipm 20110409
byTetsuyuki Kobayashi
 
Highload++2014: 1Hippeus - zerocopy messaging in the spirit of Sparta!
byLeonid Yuriev
 
IPC: AIDL is not a curse
byYonatan Levin
 
1Hippeus - zerocopy messaging по законам Спарты, Леонид Юрьев (ПЕТЕР-СЕРВИС)
byOntico
 
Ipc: aidl sexy, not a curse
byYonatan Levin
 
IPC: AIDL is sexy, not a curse
byYonatan Levin
 
Android framework design and development
byramalinga prasad tadepalli
 
ebpf and IO Visor: The What, how, and what next!
byAffan Syed
 
Android internals 06 - Binder, Typical subsystem (rev_1.1)
byEgor Elizarov
 
9 services
byAjayvorar
 
Android service, aidl - day 1
byUtkarsh Mankad
 
Service oriented component model
byravindrareddy
 
Reinventing the wheel: libmc
byMyautsai PAN
 
Netty Notes Part 2 - Transports and Buffers
byRick Hightower
 
Performance evaluation of Android IPC
by承剛 謝
 
UA Mobile 2012 (English)
bydmalykhanov
 

Recently uploaded

PPTX
Principles of Energy Efficiency_ Doing More with Less
bygreentechnexus2024
 
PPTX
Generative AI Deep Dive: Architectures, Mechanics, and Future Applications
bygenz9514
 
PDF
Why Buildings Crumble Before Their Time And How We Can Build a Legacy
byinfoplanetcon
 
PPT
lec13.ppt FOR COMPOSITES AND POLYMERS MATERIAL SCIENCE
byKevinkahrlPipino
 
PPTX
Push pop Unit 1 CEC369 IoT P CEC369 IoT P
byKesavRaj8
 
PPTX
ensemble learning of machine learning .pptx
bydeepalishinkar1
 
PDF
Grade 11 Quarter 3 Gravitational Potentional Energy
bybuannnbeatrice
 
PDF
Soil Permeability and Seepage-Irrigation Structures
byMedoAbdelrahman
 
PPT
399-Cathodic-Protection-Presentation.ppt
byMekine
 
PPTX
AI at the Crossroads_ Transforming the Future of Green Technology.pptx
bygreentechnexus2024
 
PPTX
introduction-to-maintenance- Dr. Munthear Alqaderi
byDr. Munthear Alqaderi
 
PPTX
Intrusion Detection Systems presentation.pptx
bykamalakantas
 
PPTX
Waste to Energy - G2 Ethanol.pptx to process
byGegaGrandeza1
 
PPTX
Lead-acid battery.pptx.........................
byTarikBouchala
 
PDF
@Regenerative braking system of DC motor
bysangamkumar993613
 
PPT
Virtual Instrumentation Programming Techniques.ppt
bySivaranjaniS39
 
PPTX
TRANSPORTATION ENGINEERING Unit-5.1.pptx
byMood Naik
 
PDF
Welcome to ISPR 2026 - 12th International Conference on Image and Signal Pro...
byieijjournal
 
PPTX
TRANSPORTATION ENGINEERING Unit-5.2.pptx
byMood Naik
 
PDF
PRIZ Academy - Thinking The Skill Everyone Forgot
byPRIZ Guru
 
Principles of Energy Efficiency_ Doing More with Less
bygreentechnexus2024
 
Generative AI Deep Dive: Architectures, Mechanics, and Future Applications
bygenz9514
 
Why Buildings Crumble Before Their Time And How We Can Build a Legacy
byinfoplanetcon
 
lec13.ppt FOR COMPOSITES AND POLYMERS MATERIAL SCIENCE
byKevinkahrlPipino
 
Push pop Unit 1 CEC369 IoT P CEC369 IoT P
byKesavRaj8
 
ensemble learning of machine learning .pptx
bydeepalishinkar1
 
Grade 11 Quarter 3 Gravitational Potentional Energy
bybuannnbeatrice
 
Soil Permeability and Seepage-Irrigation Structures
byMedoAbdelrahman
 
399-Cathodic-Protection-Presentation.ppt
byMekine
 
AI at the Crossroads_ Transforming the Future of Green Technology.pptx
bygreentechnexus2024
 
introduction-to-maintenance- Dr. Munthear Alqaderi
byDr. Munthear Alqaderi
 
Intrusion Detection Systems presentation.pptx
bykamalakantas
 
Waste to Energy - G2 Ethanol.pptx to process
byGegaGrandeza1
 
Lead-acid battery.pptx.........................
byTarikBouchala
 
@Regenerative braking system of DC motor
bysangamkumar993613
 
Virtual Instrumentation Programming Techniques.ppt
bySivaranjaniS39
 
TRANSPORTATION ENGINEERING Unit-5.1.pptx
byMood Naik
 
Welcome to ISPR 2026 - 12th International Conference on Image and Signal Pro...
byieijjournal
 
TRANSPORTATION ENGINEERING Unit-5.2.pptx
byMood Naik
 
PRIZ Academy - Thinking The Skill Everyone Forgot
byPRIZ Guru
 

Understanding binder in android

  • 1.
    Understanding Binder inAndroid Haifeng Li 2014-9-2
  • 2.
    Outline •Background –Whatis Binder –Binder Communication Model –Terminology –Binder Software Stack •Client(user space) •Binder driver (Kernel Space) •Service(user space)
  • 3.
    Background •What isBinder? –An Inter-process communication system for developing object-oriented OS services. clientserverData
  • 4.
    Binder Communication Model User SpaceKernel SpaceCclientserviceBinder Driverioctl/open/...ioctl/open/... mInmOutioctl/open/... mInmOutmInmOutService Manager/system/bin/servicemanagerCGet ServiceAdd ServiceService 1 – handle 1Service 2 – handle 2...
  • 5.
    Terminology •Service Handle •Remote Binder •Local Binder •Binder node •Binder reference •Service Manager(Context Manager) –It’s handle is 0 in all binder client and server. Binder DriverRemote Binder/HandleLocal BinderBinder NodeBinder ref.
  • 6.
    IPC Software Stack App1 service Proxy(BpBinder) Stub(BnBinder) IPCThreadState IPCThreadState Binder Module User Space Kernel Space Client Server 1 2 3 4 5 6 1. BpBinder(n) -> transact(OP, data, &reply) 2. IPCThreadState::transact(handle, OP, data, reply) 3. ioctl(binder_fd, BINDER_OPERATION, &bwr) 4. IPCThreadState::getAndExecuteCommand() 5. Bnxxx::onTransact(OP, data, reply)
  • 7.
    Client(user space) •Initialization – Call system call open(), which is binder_open in kernel. Open /dev/binder file and get a file description. Create some key data structures. – mmap 1MB-8KB virtual space for data transaction by binder_mmap in kernel. • Get handle of service from service manager • Sent request to Service by BpBinder(handle) • Data transact to kernel by IPCThreadState. App1 service Proxy(BpBinder) Stub(BnBinder) IPCThreadState IPCThreadState Binder Module User Space Kernel Space Client Server 1 2 3 4 5 6
  • 8.
    Data Transaction inClient(1) •Package in Client 102 virtual void Client::Foo(int32_t push_data) { 103 Parcel data, reply; 104 data.writeInterfaceToken(IDemo::getInterfaceDescriptor()); 105 data.writeInt32(push_data);//writeStrongBinder(service) 109 110 remote()->transact(OP, data, &reply); Parcel...flat_binder_objectmDataflat_binder_objectmObjectsService
  • 9.
    Data Transaction inClient(2) •Packaged to binder_transaction_data IPCThreadState::writeTransactionData(int32_t cmd, …, int32_t handle, uint32_t code, const Parcel& data…) •cmd will add to mData.(BC_TRANSACTION, BC_REPLY,… Binder Command) •Target: target handle •Cookie: will be define according to handle in binder driver •Code: Operation of client. •Offsets could help the binder driver to process binder object reference. Parcel...flat_binder_objectmDataflat_binder_objectmObjectstargetcookiecode... data.ptr.bufferdata.ptr.offsets... binder_transaction_data
  • 10.
    Data Transaction inClient(3) •Binder Command(User->Driver) –Binder Thread Support: BC_REGISTER_LOOPER, BC_ENTER LOOPER,BC_EXIT_LOOPER –Binder Transactions: BC_TRANSACTION, BC_REPLY –Further Mechanism: BC_INCREFS, BC_RELEASE , BC_DECREFS, BC_REQUEST_DEATH_NOTIFICIATION, BC_CLEAR_DEATH_NOTIFICATION, BC_DEAD_BINDER_DONE,… •Binder Return Command (Driver -> User) –Binder Thread Support: BR_SPAWN_LOOPER –Binder Transactions: BR_TRANSACTION, BR_REPLY –Further Mechanism: BR_INCREFS,BR_ACQUIRE, BR_RELEASE , BR_DECREFS, BR_CLEAR_DEATH_NOTIFICATION_DONE, … ClientServerDriverBC_TRANSACTIONBR_TRANSACTIONBC_REPLYBR_REPLYBC_FREE_BUFFERBC_FREE_BUFFER
  • 11.
    Data Transaction inClient(4) •Repackage to Parcel(mOut) •Each working thread has two parcel: mOut and mIn. mOut is for write buffer, mIn for read buffer. Parcelcmdbinder_transactin_datamDatawrite_sizeWrite_bufferRead_sizeRead_bufferbinder_write_read
  • 12.
    Outline •Background •Client(userspace) •Binder driver (Kernel Space) •Service(user space) App1 service Proxy(BpBinder) Stub(BnBinder) IPCThreadState IPCThreadState Binder Module User Space Kernel Space Client Server 1 2 3 4 5 6
  • 13.
    Binder Driver:Binder Protocol •The protocol used for ioctl() system call. –BINDER_WRITE_READ –BINDER_SET_MAX_THREADS –BINDER_SET_CONTEXT_MGR –BINDER_THREAD_EXIT –BINDER_VERSION –BINDER_SET_IDLE_TIMEOUT
  • 14.
    Key Data Structure(1) Binder Driver Process 1 Process 2 Process 3 binder_proc binder_proc binder_proc threads node refs_by_desc refs_by_node • The binder_proc is mapped to process by 1:1. It is created on binder_open(). • All binder_proc are listed in binder_procs. • The binder_proc has 4 red-black tree. • The binder_thread represents a working thread, inserted into threads rbtree. • The binder_node represents a service, inserted into node rbtree. • refs_by_desc and refs_by_node represent reference to a proc_node.
  • 15.
    Key Data Structure(2) User spaceKernel spaceBpBinderRemote BinderBBinderLocal Binderbinder_procnoderefs_by_nodebinder_procnoderefs_by_nodebinder_refbinder_node
  • 16.
    Key Data Structure(3) ... todothreadbinder_procbinder_threadtodobinder_workbinder_workbinder_workbinder_work... ... binder_transactionbinder_transaction
  • 17.
    Input Data Format ParcelParcelwrite_sizewrite_bufferread_sizeread_bufferbinder_write_readbufferdata_sizeoffsets... binder_transaction_datacodecookiehandleoffset 1offset 2... ... flat_binder_objectflat_binder_objectBC_TRANSACTIONBC_XXXXxxx data structmOut... headIPCThreadStateClient
  • 18.
    Transaction in Binder– Client (1) 1. Copy binder_write_read from user space 2. Copy xxx data to kernel space. Iterate the items: ① Get Binder command from write_buffer(BC_XXX). ② Get target thread/proc/node by handle. ③ Allocate binder_buffer from target space, and copy effective data. ④ Build a session(build_transaction). ⑤ Mount the session to target_thread’s todo list. ⑥ Mount a BINDER_WORK_TRANSACTION_COMPLETE binder_work to source thread ⑦ Wake up corresponding thread. Parcel Parcel write_size write_buffer read_size read_buffer binder_write_read buffer data_size offsets ... binder_transaction_data code cookie handle offset 1 offset 2 ... ... flat_binder_object flat_binder_object BC_TRANSACTION BC_XXX Xxxx data struct mOut ... head IPCThreadState Client 1 2 ① ② ③
  • 19.
    Transaction in Binder–Client (2) Target SpacedataCopyParcelParcelwrite_sizewrite_bufferread_sizeread_bufferbinder_write_readbufferdata_sizeoffsets... binder_transaction_datacodecookiehandleoffset 1offset 2... ... flat_binder_objectflat_binder_objectBC_TRANSACTIONBC_XXXXxxx data structmOut... headIPCThreadStateClientbufferpriorityoffsetssender_euidbinder_transactioncodeto_threadto_procdata... offsets_sizedata_sizetarget_nodebinder_bufferOffsets[] Copy
  • 20.
    Transaction in Binder-- Server 1.Server thread wake up and get a binder_work(binder_transaction) from todo list 2.Build a binder_transaction_data from binder_transaction 3.Set priority of current thread of client. 4.The buffer and offsets will be virtual address –Virtual address = kernel address + address offset 5.Copy binder_transaction_data to mIn 6.Return from kernel 7.IPCThreadState iternate the command and data. –For BR_TRANSACTION, call stub’s onTransact function, which will call server service function finally. Target Spacedatabufferpriorityoffsetssender_euidbinder_transactioncodeto_threadto_procdata... offsets_sizedata_sizetarget_nodebinder_bufferOffsets[] bufferdata_sizeoffsets... binder_transaction_datacodecookiehandle Kernel Space write_sizewrite_bufferread_sizeread_bufferbinder_write_readParcelmInBR_NOOPDatabinder_transaction_dataBR_TRANSACTIONCopy to user User Space
  • 21.
    Transaction stack(1) •Thestack is for recording transaction session. •Commonly, to_parent and from_parent is null. But, when the transaction rely on other session, what will happen? –The session in B will lost. A(list_head)todoBinder_thread BBinder_thread transaction_stackwait queue... (list_head)todotransaction_stackwait queue... to_parentfrom_parent... sender_euidbinder_transaction... to_threadtodo
  • 22.
    Transaction stack(2) •Forexample, A -> B, B->C, C->A
  • 23.