（4.6.10.3）Binder传输数据大小限制

oneway（异步）

一、TransactionTooLargeException

对于通过Intent跨进程传递数据大家都应该很清楚，但是Intent携带的数据大小限制是多少，这个可能大家都没有思考了，那么下面以一个实际的案例来说明，具体代码见如下：

        Intent intent = new Intent();
        Bitmap  mBmp = BitmapFactory.decodeResource(getResources(), R.drawable.ic_launcher);
        Bitmap b1 = Bitmap.createScaledBitmap(mBmp, 1024, 1024, false);
        intent.putExtra("byte data", b1);
        sendBroadcast(intent);

执行如下代码片段会出现如下的错误信息，FAILED BINDER TRANSACTION ，很明显和Binder传输有关系，那么下面来分析一下

10-18 16:04:39.113  3514  3514 E JavaBinder: !!! FAILED BINDER TRANSACTION !!!  (parcel size = 4194612)
10-18 16:04:39.115  3514  3514 D AndroidRuntime: Shutting down VM
10-18 16:04:39.118  3514  3514 E AndroidRuntime: FATAL EXCEPTION: main
10-18 16:04:39.118  3514  3514 E AndroidRuntime: Process: com.pax.printtest, PID: 3514
10-18 16:04:39.118  3514  3514 E AndroidRuntime: java.lang.RuntimeException: android.os.TransactionTooLargeException: data parcel size 4194612 bytes
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at android.app.ContextImpl.sendBroadcast(ContextImpl.java:961)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at android.content.ContextWrapper.sendBroadcast(ContextWrapper.java:428)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at com.pax.api.test.MyJobServiceActivity.FUN3(MyJobServiceActivity.java:71)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at com.pax.api.test.MyJobServiceActivity$1.onClick(MyJobServiceActivity.java:51)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at android.view.View.performClick(View.java:5637)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at android.view.View$PerformClick.run(View.java:22433)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at android.os.Handler.handleCallback(Handler.java:751)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at android.os.Handler.dispatchMessage(Handler.java:95)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at android.os.Looper.loop(Looper.java:154)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at android.app.ActivityThread.main(ActivityThread.java:6121)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at java.lang.reflect.Method.invoke(Native Method)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:889)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:779)
10-18 16:04:39.118  3514  3514 E AndroidRuntime: Caused by: android.os.TransactionTooLargeException: data parcel size 4194612 bytes
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at android.os.BinderProxy.transactNative(Native Method)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at android.os.BinderProxy.transact(Binder.java:623)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at android.app.ActivityManagerProxy.broadcastIntent(ActivityManagerNative.java:3536)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        at android.app.ContextImpl.sendBroadcast(ContextImpl.java:956)
10-18 16:04:39.118  3514  3514 E AndroidRuntime:        ... 12 more

二、Intent携带信息的大小受Binder限制

普通的应用是由Zygote孵化而来的用户进程，所映射的Binder内存大小是不到1M的，准确说是 110241024) - (4096 *2) ：这个限制定义在frameworks/native/libs/binder/processState.cpp类中，如果传输说句超过这个大小，系统就会报错，因为Binder本身就是为了进程间频繁而灵活的通信所设计的，并不是为了拷贝大数据而使用的，所以当传递大的数据时会出现上述的错误

#define BINDER_VM_SIZE ((1*1024*1024) - (4096 *2))
ProcessState::ProcessState()
    : mDriverFD(open_driver())//打开Binder设备驱动
    , mVMStart(MAP_FAILED)
    , mManagesContexts(false)
    , mBinderContextCheckFunc(NULL)
    , mBinderContextUserData(NULL)
    , mThreadPoolStarted(false)
    , mThreadPoolSeq(1)
{
    if (mDriverFD >= 0) {
        // XXX Ideally, there should be a specific define for whether we
        // have mmap (or whether we could possibly have the kernel module
        // availabla).
#if !defined(HAVE_WIN32_IPC)
        // mmap the binder, providing a chunk of virtual address space to receive transactions.
        //采用内存映射函数mmap，给binder分配一块虚拟地址空间，用来接收事务
    	mVMStart = mmap(0, BINDER_VM_SIZE, PROT_READ, MAP_PRIVATE | MAP_NORESERVE, mDriverFD, 0);
        if (mVMStart == MAP_FAILED) {
            // *sigh*
            ALOGE("Using /dev/binder failed: unable to mmap transaction memory.\n");
            close(mDriverFD);//没有足够空间飞培给/dev/binder，则关闭驱动
            mDriverFD = -1;
        }
#else
        mDriverFD = -1;
#endif
    }
 
    LOG_ALWAYS_FATAL_IF(mDriverFD < 0, "Binder driver could not be opened.  Terminating.");
}

可以看到内存映射的时候已经限制了最大的数据，所以超过了内存映射的限制就会出现上述的错误。

三、在Binder驱动中mmap的具体实现中还有一个4M的限制

能否不用ProcessState来初始化Binder服务，来突破1M-8KB的限制？

答案是当然可以了，Binder服务的初始化有两步，open打开Binder驱动，mmap在Binder驱动中申请内核空间内存，所以我们只要手写open，mmap就可以轻松突破这个限制

但是，在Binder驱动中mmap的具体实现中还有一个4M的限制

static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
{
    int ret;
    struct vm_struct *area;
    struct binder_proc *proc = filp->private_data;
    const char *failure_string;
    struct binder_buffer *buffer;

    if (proc->tsk != current)
        return -EINVAL;

    if ((vma->vm_end - vma->vm_start) > SZ_4M)
        vma->vm_end = vma->vm_start + SZ_4M;//如果申请的size大于4MB了，会在驱动中被修改成4MB

    binder_debug(BINDER_DEBUG_OPEN_CLOSE,
             "binder_mmap: %d %lx-%lx (%ld K) vma %lx pagep %lx\n",
             proc->pid, vma->vm_start, vma->vm_end,
             (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags,
             (unsigned long)pgprot_val(vma->vm_page_prot));

参考文献

• Binder传输数据大小限制，你真的get到了吗?
• [007]一次Binder通信最大可以传输多大的数据？