D:\linux\ubuntu\touch\libhybris\libhybris_0.1.0+git20130606+c5d897a.orig\libhybris-0.1.0+git20130606+c5d897a\compat\surface_flinger\surface_flinger_compatibility_layer.cpp
SfSurface* sf_surface_create(SfClient* client, SfSurfaceCreationParameters* params)
{
 assert(client);
 assert(params);

SfSurface* surface = new SfSurface();
 surface->client = client;
 surface->surface_control = surface->client->client->createSurface(
     android::String8(params->name),
     params->w,
     params->h,
     android::PIXEL_FORMAT_RGBA_8888,
     0x300);

if (surface->surface_control == NULL) {
  report_surface_control_is_null_during_creation();
  delete(surface);
  return NULL;
 }
void report_surface_control_is_null_during_creation()
{
 printf("Could not acquire surface control object during surface creation");
}
SfClient* sf_client_create()
{
 return sf_client_create_full(true);
}
SfClient* sf_client_create_full(bool egl_support)
{
 SfClient* client = new SfClient();

client->client = new android::SurfaceComposerClient();
D:\linux\ubuntu\touch\libhybris\libhybris_0.1.0+git20130606+c5d897a.orig\libhybris-0.1.0+git20130606+c5d897a\compat\surface_flinger\direct_sf_test.cpp
int main(int argc, char** argv)
{
 SfClient* sf_client = sf_client_create();
 SfSurface* sf_surface = sf_surface_create(sf_client, &params);
D:\linux\ubuntu\touch\libhybris\libhybris_0.1.0+git20130606+c5d897a.orig\surface_flinger_compatibility_layer_internal.h
struct SfClient
{
 android::sp<android::SurfaceComposerClient> client;
 EGLDisplay egl_display;
 EGLConfig egl_config;
 EGLContext egl_context;
 bool egl_support;
};
F:\linux\phablet-ubuntu-20130618\frameworks\native\libs\gui\SurfaceComposerClient.cpp
sp<SurfaceControl> SurfaceComposerClient::createSurface(
        const String8& name,
        uint32_t w,
        uint32_t h,
        PixelFormat format,
        uint32_t flags)
{
    sp<SurfaceControl> result;
    if (mStatus == NO_ERROR) {
        ISurfaceComposerClient::surface_data_t data;
        sp<ISurface> surface = mClient->createSurface(&data, name,
                w, h, format, flags);
        if (surface != 0) {
            result = new SurfaceControl(this, surface, data);
        }
    }
    return result;
}
void SurfaceComposerClient::onFirstRef() {
    sp<ISurfaceComposer> sm(ComposerService::getComposerService());
    if (sm != 0) {
        sp<ISurfaceComposerClient> conn = sm->createConnection();
        if (conn != 0) {
            mClient = conn;
            mStatus = NO_ERROR;
        }
    }
}
F:\linux\phablet-ubuntu-20130618\frameworks\native\include\binder\Binder.h
class BpRefBase : public virtual RefBase
{
    inline  IBinder*        remote()                { return mRemote; }
    inline  IBinder*        remote() const          { return mRemote; }
******************************
http://www.cnblogs.com/innost/archive/2011/01/09/1931456.html
http://blog.csdn.net/myarrow/article/details/7180561
F:\linux\phablet-ubuntu-20130618\frameworks\native\libs\gui\ISurfaceComposerClient.cpp
class BpSurfaceComposerClient : public BpInterface<ISurfaceComposerClient>
{
    virtual sp<ISurface> createSurface( surface_data_t* params,
                                        const String8& name,
                                        uint32_t w,
                                        uint32_t h,
                                        PixelFormat format,
                                        uint32_t flags)
    {
        remote()->transact(CREATE_SURFACE, data, &reply);
status_t BnSurfaceComposerClient::onTransact(
    uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
            sp<ISurface> s = createSurface(&params, name, w, h,
                    format, flags);
f:\linux\phablet-ubuntu-20130618\frameworks\native\services\surfaceflinger\Client.cpp
sp<ISurface> Client::createSurface(
        ISurfaceComposerClient::surface_data_t* params,
        const String8& name,
        uint32_t w, uint32_t h, PixelFormat format,
        uint32_t flags)
{
    mFlinger->postMessageSync(msg);  //segfault
\\192.168.1.101\1\touch\export\phablet-ubuntu-20130618\frameworks\native\services\surfaceflinger\SurfaceFlinger.cpp
status_t SurfaceFlinger::postMessageSync(const sp<MessageBase>& msg,
        nsecs_t reltime, uint32_t flags) {
    status_t res = mEventQueue.postMessage(msg, reltime);
    if (res == NO_ERROR) {
        msg->wait();   //segfault
    }
    return res;
}
sp<ISurface> SurfaceFlinger::createLayer(
        ISurfaceComposerClient::surface_data_t* params,
        const String8& name,
        const sp<Client>& client,
       uint32_t w, uint32_t h, PixelFormat format,
        uint32_t flags)
{
    switch (flags & ISurfaceComposerClient::eFXSurfaceMask) {
        case ISurfaceComposerClient::eFXSurfaceNormal:
            layer = createNormalLayer(client, w, h, flags, format);  //segfault
            break;
sp<Layer> SurfaceFlinger::createNormalLayer(
        const sp<Client>& client,
        uint32_t w, uint32_t h, uint32_t flags,
        PixelFormat& format)
{
 sp<Layer> layer = new Layer(this, client);  //segfault
\\192.168.1.101\1\touch\export\phablet-ubuntu-20130618\frameworks\native\services\surfaceflinger\Layer.cpp
void Layer::onFirstRef()
{
    // Creates a custom BufferQueue for SurfaceTexture to use
    sp<BufferQueue> bq = new SurfaceTextureLayer();  //segfault
\\192.168.1.101\1\touch\export\phablet-ubuntu-20130618\frameworks\native\libs\gui\BufferQueue.cpp
BufferQueue::BufferQueue(bool allowSynchronousMode,
        const sp<IGraphicBufferAlloc>& allocator) :
    mDefaultWidth(1),
    mDefaultHeight(1),
    mMaxAcquiredBufferCount(1),
    mDefaultMaxBufferCount(2),
    mOverrideMaxBufferCount(0),
    mSynchronousMode(false),
    mAllowSynchronousMode(allowSynchronousMode),
    mConnectedApi(NO_CONNECTED_API),
    mAbandoned(false),
    mFrameCounter(0),
    mBufferHasBeenQueued(false),
    mDefaultBufferFormat(PIXEL_FORMAT_RGBA_8888),
    mConsumerUsageBits(0),
    mTransformHint(0)
{
        sp<ISurfaceComposer> composer(ComposerService::getComposerService());  //segfault
\\192.168.1.101\1\touch\export\phablet-ubuntu-20130618\frameworks\native\libs\gui\SurfaceComposerClient.cpp
/*static*/ sp<ISurfaceComposer> ComposerService::getComposerService() {
 ALOGD("ComposerService::getComposerService");
    ComposerService& instance = ComposerService::getInstance();  //segfault
F:\linux\phablet-ubuntu-20130618\frameworks\native\include\private\gui\ComposerService.h
frameworks/base/include/utils/Singleton.h
ANDROID_SINGLETON_STATIC_INSTANCE(ComposerService);
\\192.168.1.101\1\touch\export\phablet-ubuntu-20130618\frameworks\native\libs\gui\SurfaceComposerClient.cpp
ComposerService::ComposerService()
: Singleton<ComposerService>() {
    Mutex::Autolock _l(mLock);
    connectLocked();  //segfault
void ComposerService::connectLocked() {
    const String16 name("SurfaceFlinger");
    while (getService(name, &mComposerService) != NO_ERROR) {   //segfault
        usleep(250000);
    }
\\192.168.1.101\1\touch\export\phablet-ubuntu-20130618\frameworks\native\include\binder\IServiceManager.h
template<typename INTERFACE>
status_t getService(const String16& name, sp<INTERFACE>* outService)
{
        *outService = interface_cast<INTERFACE>(sm->getService(name));     //segfault
\\192.168.1.101\1\touch\export\phablet-ubuntu-20130618\frameworks\native\libs\binder\IServiceManager.cpp
class BpServiceManager : public BpInterface<IServiceManager>
{
    virtual sp<IBinder> getService(const String16& name) const
    {
            sp<IBinder> svc = checkService(name);  //segfault
    virtual sp<IBinder> checkService( const String16& name) const
    {
        remote()->transact(CHECK_SERVICE_TRANSACTION, data, &reply);     //segfault
\\192.168.1.101\1\touch\export\phablet-ubuntu-20130618\frameworks\native\libs\binder\BpBinder.cpp
status_t BpBinder::transact(
    uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
        status_t status = IPCThreadState::self()->transact(
            mHandle, code, data, reply, flags);                 //segfault
\\192.168.1.101\1\touch\export\phablet-ubuntu-20130618\frameworks\native\libs\binder\IPCThreadState.cpp
status_t IPCThreadState::transact(int32_t handle,
                                  uint32_t code, const Parcel& data,
                                  Parcel* reply, uint32_t flags)
{
        err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL);     //segfault
status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags,
    int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer)
{
    mOut.writeInt32(cmd);           //segfault
\\192.168.1.101\1\touch\export\phablet-ubuntu-20130618\frameworks\native\libs\binder\Parcel.cpp
template<class T>
status_t Parcel::writeAligned(T val) {
 if ((mDataPos+sizeof(val)) <= mDataCapacity) {
restart_write:
        *reinterpret_cast<T*>(mData+mDataPos) = val;          //segfault

f:\linux\phablet-ubuntu-20130618\frameworks\native\services\surfaceflinger\Client.h
class Client : public BnSurfaceComposerClient
{
    // ISurfaceComposerClient interface
    virtual sp<ISurface> createSurface(
            surface_data_t* params, const String8& name,
            uint32_t w, uint32_t h,PixelFormat format,
            uint32_t flags);
f:\linux\phablet-ubuntu-20130618\frameworks\native\include\binder\BpBinder.h
F:\linux\phablet-ubuntu-20130618\frameworks\native\libs\binder\BpBinder.cpp
status_t BpBinder::transact(
    uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
        status_t status = IPCThreadState::self()->transact(
            mHandle, code, data, reply, flags);
F:\linux\phablet-ubuntu-20130618\frameworks\native\libs\binder\IPCThreadState.cpp
status_t IPCThreadState::transact(int32_t handle,
                                  uint32_t code, const Parcel& data,
                                  Parcel* reply, uint32_t flags)
{
        err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL);
status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags,
    int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer)
{
    mOut.writeInt32(cmd);
    mOut.write(&tr, sizeof(tr));
F:\linux\phablet-ubuntu-20130618\frameworks\native\libs\binder\Parcel.cpp
status_t Parcel::writeInt32(int32_t val)
{
    return writeAligned(val);
}
status_t Parcel::writeAligned(T val) {

05-11 17:32