Android插件化前番:预备知识

发表于 | 分类于

引言

Android的插件化目前可谓是百花齐放,从最早的《Android内核剖析》中柯元旦对于插件化的简单示例,到任玉刚的DynamicLoadApk,再到360的DroidPlugin,以及阿里的Atlas。虽然它们的实现方式有差异,但也有很多的共同点。要想理解它们的原理,需要一些预备知识。建议把本篇Blog与Java服务框架分析结合起来看

1.绑定服务获取的对象的真相

AIDL的使用就不啰嗦了,不懂的可以看我的Blog Android中的跨进程通信方法实例及特点分析(一):AIDL Service.其中aidl定义如下: 

1
2
3
4
5
6
7
8
// IData.aidl
package com.android.service;
// Declare any non-default types here with import statements
interface IData {
   int getRoomNum(int source);
}

生成的IData.java如下: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
package com.android.service;
// Declare any non-default types here with import statements
public interface IData extends android.os.IInterface
{
    /** Local-side IPC implementation stub class. */
    public static abstract class Stub extends android.os.Binder implements com.android.service.IData
    {
        private static final java.lang.String DESCRIPTOR = "com.android.service.IData";
        /** Construct the stub at attach it to the interface. */
        public Stub()
        {
        this.attachInterface(this, DESCRIPTOR);
        }
        /**
         * Cast an IBinder object into an com.android.service.IData interface,
         * generating a proxy if needed.
         */
        public static com.android.service.IData asInterface(android.os.IBinder obj)
        {
            if ((obj==null)) {
            return null;
            }
            android.os.IInterface iin = obj.queryLocalInterface(DESCRIPTOR);
            if (((iin!=null)&&(iin instanceof com.android.service.IData))) {
            return ((com.android.service.IData)iin);
            }
            return new com.android.service.IData.Stub.Proxy(obj);
        }
        @Override public android.os.IBinder asBinder()
        {
        return this;
        }
        @Override public boolean onTransact(int code, android.os.Parcel data, android.os.Parcel reply, int flags) throws android.os.RemoteException
        {
            switch (code)
            {
                case INTERFACE_TRANSACTION:
                {
                    reply.writeString(DESCRIPTOR);
                    return true;
                }
                case TRANSACTION_getRoomNum:
                {
                    data.enforceInterface(DESCRIPTOR);
                    int _arg0;
                    _arg0 = data.readInt();
                    int _result = this.getRoomNum(_arg0);
                    reply.writeNoException();
                    reply.writeInt(_result);
                    return true;
                }
            }
            return super.onTransact(code, data, reply, flags);
        }
        private static class Proxy implements com.android.service.IData
        {
            private android.os.IBinder mRemote;
            Proxy(android.os.IBinder remote)
            {
                mRemote = remote;
            }
            @Override public android.os.IBinder asBinder()
            {
                return mRemote;
            }
            public java.lang.String getInterfaceDescriptor()
            {
                return DESCRIPTOR;
            }
            @Override public int getRoomNum(int source) throws android.os.RemoteException
            {
                android.os.Parcel _data = android.os.Parcel.obtain();
                android.os.Parcel _reply = android.os.Parcel.obtain();
                int _result;
                try {
                    _data.writeInterfaceToken(DESCRIPTOR);
                    _data.writeInt(source);
                    mRemote.transact(Stub.TRANSACTION_getRoomNum, _data, _reply, 0);
                    _reply.readException();
                    _result = _reply.readInt();
                }
                finally {
                    _reply.recycle();
                    _data.recycle();
                }
                return _result;
            }
        }
        static final int TRANSACTION_getRoomNum = (android.os.IBinder.FIRST_CALL_TRANSACTION + 0);
    }
    public int getRoomNum(int source) throws android.os.RemoteException;
}

显然,IData.Stub提供了一个本地的抽象类,而IData.Stub.Proxy则提供了一个代理类,它们都实现了IData这个接口。
而真正的Service提供者只需要继承IData.Stub,如下: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
public class RoomService extends Service {
    private static final String TAG=RoomService.class.getSimpleName();
    private IData.Stub mBinder=new IData.Stub() {
        @Override
        public int getRoomNum(int source) throws RemoteException {
            return 10*source;
        }
    };
    @Override
    public IBinder onBind(Intent intent){
        Log.d(TAG,"onBind");
        return mBinder;
    }
}

其中mBinder对象实现了IData.Stub()这个抽象类.
RoomService是作为Android Service呈现,它在Manifest中的声明如下: 

1
2
3
4
5
6
7
<service android:name="com.android.service.RoomService"
           android:process=":remote"
           >
           <intent-filter>
               <action android:name="com.aidl.service.room"/>
           </intent-filter>
</service>

注意RoomService的action为”com.aidl.service.room”,这个在Context.bindService()时需要用到.

而Client中绑定服务的代码如下: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
 IData mData;
 private ServiceConnection conn=new ServiceConnection() {
     @Override
     public void onServiceConnected(ComponentName componentName, IBinder binder) {
         Log.d(TAG,"onServiceConnected");
         //binder是一个android.os.BinderProxy对象; asInterface()中第一次android.os.IInterface iin = obj.queryLocalInterface(DESCRIPTOR);的结果iin为null
         //所以调用Proxy生成代理,从而可知Proxy中mRemote为BinderProxy对象
         mData=IData.Stub.asInterface(binder);
     }
     @Override
     public void onServiceDisconnected(ComponentName componentName) {
          Log.d(TAG,"onServiceDisconnected");
     }
 };
private void bindService(){
     Intent intent=new Intent();
     intent.setAction(ROOM_SERVICE_ACTION);
     bindService(intent,conn,BIND_AUTO_CREATE);
}

我们从mData=IData.Stub.asInterface(binder)入手,看看返回的mData到底是什么对象。

其中IData.Stub.asInterface的代码如下: 

1
2
3
4
5
6
7
8
9
10
11
public static com.android.service.IData asInterface(android.os.IBinder obj)
    {
        if ((obj==null)) {
        return null;
        }
        android.os.IInterface iin = obj.queryLocalInterface(DESCRIPTOR);
        if (((iin!=null)&&(iin instanceof com.android.service.IData))) {
        return ((com.android.service.IData)iin);
        }
        return new com.android.service.IData.Stub.Proxy(obj);
    }

Debug会发现obj其实是BinderProxy对象(至于为什么是BinderProxy对象,在后面讲到ActivityManagerNative时会分析),而BinderProxy的部分代码如下: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
final class BinderProxy implements IBinder {
   
    ...
    public IInterface queryLocalInterface(String descriptor) {
        return null;
    }
    ...
     
    final private WeakReference mSelf;
    private long mObject;
    private long mOrgue;
}

显然,BinderProxy对象的queryLocalInterface()返回null,所以IData.Stub.asInterface()会调用return new com.android.service.IData.Stub.Proxy(obj);生成IData.Stub.Proxy对象,其中obj为BinderProxy对象。
所以mData其实是一个IData.Stub.Proxy对象。所以调用mData.getRoomNum()时其实调用的是IData.Stub.Proxy的getRoomNum()方法: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
@Override 
public int getRoomNum(int source) throws android.os.RemoteException
        {
            android.os.Parcel _data = android.os.Parcel.obtain();
            android.os.Parcel _reply = android.os.Parcel.obtain();
            int _result;
            try {
                _data.writeInterfaceToken(DESCRIPTOR);
                _data.writeInt(source);
                mRemote.transact(Stub.TRANSACTION_getRoomNum, _data, _reply, 0);
                _reply.readException();
                _result = _reply.readInt();
            }
            finally {
                _reply.recycle();
                _data.recycle();
            }
            return _result;
        }

那么为什么在Client端调用mData.getRoomNum()就能获取到RoomService提供的服务,就需要分析bindService()的过程了。

2.bindService()完整过程剖析

Activity基础自ContextThemeWrapper,而ContextThemeWrapper又继承自ContextWrapper,ContextWrapper中bindService()的操作是由ContextImpl对象完成的。代码如下: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
@Override
public boolean bindService(Intent service, ServiceConnection conn,
        int flags) {
    warnIfCallingFromSystemProcess();
    return bindServiceCommon(service, conn, flags, Process.myUserHandle());
}
/** @hide */
@Override
public boolean bindServiceAsUser(Intent service, ServiceConnection conn, int flags,
        UserHandle user) {
    return bindServiceCommon(service, conn, flags, user);
}
private boolean bindServiceCommon(Intent service, ServiceConnection conn, int flags,
        UserHandle user) {
    IServiceConnection sd;
    if (conn == null) {
        throw new IllegalArgumentException("connection is null");
    }
    if (mPackageInfo != null) {
        sd = mPackageInfo.getServiceDispatcher(conn, getOuterContext(),
                mMainThread.getHandler(), flags);
    } else {
        throw new RuntimeException("Not supported in system context");
    }
    validateServiceIntent(service);
    try {
        IBinder token = getActivityToken();
        if (token == null && (flags&BIND_AUTO_CREATE) == 0 && mPackageInfo != null
                && mPackageInfo.getApplicationInfo().targetSdkVersion
                < android.os.Build.VERSION_CODES.ICE_CREAM_SANDWICH) {
            flags |= BIND_WAIVE_PRIORITY;
        }
        service.prepareToLeaveProcess();
        int res = ActivityManagerNative.getDefault().bindService(
            mMainThread.getApplicationThread(), getActivityToken(),
            service, service.resolveTypeIfNeeded(getContentResolver()),
            sd, flags, user.getIdentifier());
        if (res < 0) {
            throw new SecurityException(
                    "Not allowed to bind to service " + service);
        }
        return res != 0;
    } catch (RemoteException e) {
        return false;
    }
}

显然最终会调用到ActivityManagerNative.getDefault().bindService()方法,而ActivityManagerNative.getDefault()是什么呢?
它其实是一个单例对象,代码如下: 

1
2
3
static public IActivityManager getDefault() {
        return gDefault.get();
    }

其中的gDefault就是单例对象,它的定义如下: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
private static final Singleton<IActivityManager> gDefault = new Singleton<IActivityManager>() {
     protected IActivityManager create() {
     	//b是一个BinderProxy对象,该对象的mObject对应new BpBinder(handle)对象;
         IBinder b = ServiceManager.getService("activity");
         if (false) {
             Log.v("ActivityManager", "default service binder = " + b);
         }
         IActivityManager am = asInterface(b);
         if (false) {
             Log.v("ActivityManager", "default service = " + am);
         }
         return am;
     }
 };

其中ServiceManager.getService(“activity”);返回的是一个BinderProxy对象,并且该对象中的mObject对应native层的一个BpBinder对象,详细分析见我的Blog Java服务框架分析.

而asInterface方法如下: 

1
2
3
4
5
6
7
8
9
10
11
12
static public IActivityManager asInterface(IBinder obj) {
      if (obj == null) {
          return null;
      }
      IActivityManager in =
          (IActivityManager)obj.queryLocalInterface(descriptor);
      if (in != null) {
          return in;
      }
      return new ActivityManagerProxy(obj);
  }

到这里可以发现,其实ActivityManagerNative与前面的IData.Stub非常类似,事实上也是如此,ActivityManagerNative对应的代理类是ActivityManagerProxy,而真正实现ActivityManagerNative的类是AcitivityManagerService。所以这里其实生成了一个ActivityManagerProxy对象,而ActivityManagerProxy的构造方法如下: 

1
2
3
4
5
public ActivityManagerProxy(IBinder remote)
{
	//mRemote是一个BinderProxy对象,该对象的mObject成员指向一个BpBinder(handle)对象
    mRemote = remote;
}

所以ActivityManagerProxy中的mRemote是一个BinderProxy对象,而且该对象中的mObject对应native层的一个BpBinder对象,该BpBinder中含有ActivityManagerService注册在context_manager的句柄(handle).注意native层管理binder节点的是context_manager而不是ServiceManager,ServiceManager严格说来只是管理Java层服务的一个代理对象而已,而context_manager既管理Java层服务也管理native层服务

再回到ContextImpl中,ActivityManagerNative.getDefault().bindService()其实是调用ActivityManagerProxy对象的bindService()方法,代码如下: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
public int bindService(IApplicationThread caller, IBinder token,
        Intent service, String resolvedType, IServiceConnection connection,
        int flags, int userId) throws RemoteException {
    Parcel data = Parcel.obtain();
    Parcel reply = Parcel.obtain();
    data.writeInterfaceToken(IActivityManager.descriptor);
    data.writeStrongBinder(caller != null ? caller.asBinder() : null);
    data.writeStrongBinder(token);
    service.writeToParcel(data, 0);
    data.writeString(resolvedType);
    data.writeStrongBinder(connection.asBinder());
    data.writeInt(flags);
    data.writeInt(userId);
    mRemote.transact(BIND_SERVICE_TRANSACTION, data, reply, 0);
    reply.readException();
    int res = reply.readInt();
    data.recycle();
    reply.recycle();
    return res;
}

其中mRemote是BinderProxy对象,这里其实就是调用BinderProxy.transact()方法: 

1
2
3
4
5
6
7
public boolean transact(int code, Parcel data, Parcel reply, int flags) throws RemoteException {
       Binder.checkParcel(this, code, data, "Unreasonably large binder buffer");
       return transactNative(code, data, reply, flags);
   }
   public native boolean transactNative(int code, Parcel data, Parcel reply,
           int flags) throws RemoteException;

显然,transactNative是个native方法,它对应的android_util_Binder.cpp中的android_os_BinderProxy_transact()方法: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
static jboolean android_os_BinderProxy_transact(JNIEnv* env, jobject obj,
        jint code, jobject dataObj, jobject replyObj, jint flags) // throws RemoteException
{
    if (dataObj == NULL) {
        jniThrowNullPointerException(env, NULL);
        return JNI_FALSE;
    }
    Parcel* data = parcelForJavaObject(env, dataObj);
    if (data == NULL) {
        return JNI_FALSE;
    }
    Parcel* reply = parcelForJavaObject(env, replyObj);
    if (reply == NULL && replyObj != NULL) {
        return JNI_FALSE;
    }
    IBinder* target = (IBinder*)
        env->GetLongField(obj, gBinderProxyOffsets.mObject);
    if (target == NULL) {
        jniThrowException(env, "java/lang/IllegalStateException", "Binder has been finalized!");
        return JNI_FALSE;
    }
    ALOGV("Java code calling transact on %p in Java object %p with code %" PRId32 "\n",
            target, obj, code);
#if ENABLE_BINDER_SAMPLE
    // Only log the binder call duration for things on the Java-level main thread.
    // But if we don't
    const bool time_binder_calls = should_time_binder_calls();
    int64_t start_millis;
    if (time_binder_calls) {
        start_millis = uptimeMillis();
    }
#endif
    //printf("Transact from Java code to %p sending: ", target); data->print();
    status_t err = target->transact(code, *data, reply, flags);
    //if (reply) printf("Transact from Java code to %p received: ", target); reply->print();
#if ENABLE_BINDER_SAMPLE
    if (time_binder_calls) {
        conditionally_log_binder_call(start_millis, target, code);
    }
#endif
    if (err == NO_ERROR) {
        return JNI_TRUE;
    } else if (err == UNKNOWN_TRANSACTION) {
        return JNI_FALSE;
    }
    signalExceptionForError(env, obj, err, true /*canThrowRemoteException*/);
    return JNI_FALSE;
}

其中的target就是BinderProxy对象中的BpBinder对象,而data,reply对应Java层的data,replay对象。
而BpBinder::transact()方法如下: 

1
2
3
4
5
6
7
8
9
10
11
12
13
status_t BpBinder::transact(
    uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
    // Once a binder has died, it will never come back to life.
    if (mAlive) {
        status_t status = IPCThreadState::self()->transact(
            mHandle, code, data, reply, flags);
        if (status == DEAD_OBJECT) mAlive = 0;
        return status;
    }
    return DEAD_OBJECT;
}

后面就是IPCThreadState与驱动交互的过程了,由于不是本文的重点,而且在之前的Blog分析过,就不展开了。感兴趣的童鞋可以看我之前与Binder有关的Blog,简单的说,就是通过Binder Driver实现跨进程通信,最后在用户进程中调用到ActivityManagerService的binderService()方法。

ActivityManagerService.bindService()代码如下: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
public int bindService(IApplicationThread caller, IBinder token,
         Intent service, String resolvedType,
         IServiceConnection connection, int flags, int userId) {
     enforceNotIsolatedCaller("bindService");
     // Refuse possible leaked file descriptors
     if (service != null && service.hasFileDescriptors() == true) {
         throw new IllegalArgumentException("File descriptors passed in Intent");
     }
     synchronized(this) {
         return mServices.bindServiceLocked(caller, token, service, resolvedType,
                 connection, flags, userId);
     }
 }

之后的调用比较多,但其实分析起来并不难,就不展开了,有兴趣的童鞋可以看看老罗的这篇分析:Android应用程序绑定服务(bindService)的过程源代码分析

最后会调用到LoadedApk的内部类ServiceDispatcher中doConnected()方法: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
public void doConnected(ComponentName name, IBinder service) {
        ServiceDispatcher.ConnectionInfo old;
        ServiceDispatcher.ConnectionInfo info;
        synchronized (this) {
            if (mForgotten) {
                // We unbound before receiving the connection; ignore
                // any connection received.
                return;
            }
            old = mActiveConnections.get(name);
            if (old != null && old.binder == service) {
                // Huh, already have this one.  Oh well!
                return;
            }
            if (service != null) {
                // A new service is being connected... set it all up.
                mDied = false;
                info = new ConnectionInfo();
                info.binder = service;
                info.deathMonitor = new DeathMonitor(name, service);
                try {
                    service.linkToDeath(info.deathMonitor, 0);
                    mActiveConnections.put(name, info);
                } catch (RemoteException e) {
                    // This service was dead before we got it...  just
                    // don't do anything with it.
                    mActiveConnections.remove(name);
                    return;
                }
            } else {
                // The named service is being disconnected... clean up.
                mActiveConnections.remove(name);
            }
            if (old != null) {
                old.binder.unlinkToDeath(old.deathMonitor, 0);
            }
        }
        // If there was an old service, it is not disconnected.
        if (old != null) {
            mConnection.onServiceDisconnected(name);
        }
        // If there is a new service, it is now connected.
        if (service != null) {
            mConnection.onServiceConnected(name, service);
        }
    }

可以看到这里回调了mConnection.onServiceConnected()方法,而其中的的service就是通过Binder机制获取的BinderProxy对象,这个BinderProxy对象中的mObject对应的BpBinder中含有RoomService注册在context_manager中的句柄(handle).之后通过它就可以实现跨进程调用。

3.系统服务获取过程

其实刚刚我们在分析的过程中就涉及到了ActivityManagerService的获取过程,可以发现Java层的系统服务与我们自己实现的AIDL Service非常类似,有一个接口(如IActivityManager),一个Stub类(如ActivityManagerNative)和一个代理类(如ActivityManagerProxy),以及真正提供服务的类(如ActivityManagerService).

下面分析在Context子类(如Activity,Service)中getSystemService()是如何获取系统服务的。
以Activity.getSystemService()为例,其实最终调用的是ContextImpl中的getSystemService()方法: 

1
2
3
4
5
@Override
public Object getSystemService(String name) {
    ServiceFetcher fetcher = SYSTEM_SERVICE_MAP.get(name);
    return fetcher == null ? null : fetcher.getService(this);
}

其中SYSTEM_SERVICE_MAP是在registerService()时填充进去的,下面是ContextImpl中registerService的部分代码: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
static {
       registerService(ACCESSIBILITY_SERVICE, new ServiceFetcher() {
               public Object getService(ContextImpl ctx) {
                   return AccessibilityManager.getInstance(ctx);
               }});
       registerService(CAPTIONING_SERVICE, new ServiceFetcher() {
               public Object getService(ContextImpl ctx) {
                   return new CaptioningManager(ctx);
               }});
       registerService(ACCOUNT_SERVICE, new ServiceFetcher() {
               public Object createService(ContextImpl ctx) {
                   IBinder b = ServiceManager.getService(ACCOUNT_SERVICE);
                   IAccountManager service = IAccountManager.Stub.asInterface(b);
                   return new AccountManager(ctx, service);
               }});
       registerService(ACTIVITY_SERVICE, new ServiceFetcher() {
               public Object createService(ContextImpl ctx) {
                   return new ActivityManager(ctx.getOuterContext(), ctx.mMainThread.getHandler());
               }});
       registerService(ALARM_SERVICE, new ServiceFetcher() {
               public Object createService(ContextImpl ctx) {
                   IBinder b = ServiceManager.getService(ALARM_SERVICE);
                   IAlarmManager service = IAlarmManager.Stub.asInterface(b);
                   return new AlarmManager(service, ctx);
               }});
       registerService(AUDIO_SERVICE, new ServiceFetcher() {
               public Object createService(ContextImpl ctx) {
                   return new AudioManager(ctx);
               }});
       registerService(MEDIA_ROUTER_SERVICE, new ServiceFetcher() {
               public Object createService(ContextImpl ctx) {
                   return new MediaRouter(ctx);
               }});
       registerService(BLUETOOTH_SERVICE, new ServiceFetcher() {
               public Object createService(ContextImpl ctx) {
                   return new BluetoothManager(ctx);
               }});
       registerService(HDMI_CONTROL_SERVICE, new StaticServiceFetcher() {
               public Object createStaticService() {
                   IBinder b = ServiceManager.getService(HDMI_CONTROL_SERVICE);
                   return new HdmiControlManager(IHdmiControlService.Stub.asInterface(b));
               }});
       registerService(CLIPBOARD_SERVICE, new ServiceFetcher() {
               public Object createService(ContextImpl ctx) {
                   return new ClipboardManager(ctx.getOuterContext(),
                           ctx.mMainThread.getHandler());
               }});
       registerService(CONNECTIVITY_SERVICE, new ServiceFetcher() {
               public Object createService(ContextImpl ctx) {
                   IBinder b = ServiceManager.getService(CONNECTIVITY_SERVICE);
                   return new ConnectivityManager(IConnectivityManager.Stub.asInterface(b));
               }});
       registerService(COUNTRY_DETECTOR, new StaticServiceFetcher() {
               public Object createStaticService() {
                   IBinder b = ServiceManager.getService(COUNTRY_DETECTOR);
                   return new CountryDetector(ICountryDetector.Stub.asInterface(b));
               }});
       registerService(DEVICE_POLICY_SERVICE, new ServiceFetcher() {
               public Object createService(ContextImpl ctx) {
                   return DevicePolicyManager.create(ctx, ctx.mMainThread.getHandler());
               }});
       registerService(DOWNLOAD_SERVICE, new ServiceFetcher() {
               public Object createService(ContextImpl ctx) {
                   return new DownloadManager(ctx.getContentResolver(), ctx.getPackageName());
               }});
       ....
}

显然,以getSystemService(ALARM_SERVICE)为例,最终返回的对象是AlarmManager对象。
从它的注册过程可见,获取SystemService的步骤为: 

1
2
3
4
 //获取BinderProxy对象,该对象的mObject指向native层的一个BpBinder对象,而该BpBinder对象中含有service_name注册在context_manager中的handle
IBinder b = ServiceManager.getService("service_name");
//转换为Service接口,其实是返回IXXInterface.Stub.Proxy对象
IXXInterface in = IXXInterface.Stub.asInterface(b);

虽然表现形式上有些不一致,但是大致都是这个步骤。其中ServiceManager中的getService()方法如下: 

1
2
3
4
5
6
7
8
9
10
11
12
13
public static IBinder getService(String name) {
       try {
           IBinder service = sCache.get(name);
           if (service != null) {
               return service;
           } else {
               return getIServiceManager().getService(name);
           }
       } catch (RemoteException e) {
           Log.e(TAG, "error in getService", e);
       }
       return null;
   }

老套路,这里getIServiceManager()返回一个ServiceManagerProxy对象,只不过这个ServiceManagerProxy对象比较特殊,它的成员mRemote虽然还是BinderProxy对象,但是这个BinderProxy对象中的mObject对应的是BpBinder中的handle是context_manager而不是某个用户注册的服务。

Java服务框架分析这篇Blog中进行了很详细的分析,这里就不展开了。

4.结语

ServiceManager是一个重要的Hook点,所以本文进行了较详细的分析,为了避免篇幅过长,还有一些东西在涉及到时在讲解。