A2dp连接流程源码分析

时间:2021-07-19 00:58:34

在上一篇文章中,我们已经分析了:a2dp初始化流程 这篇文章主要分析a2dp的连接流程,其中还是涉及到一些底层的profile以及protocol,SDP、AVDTP以及L2CAP等。

当蓝牙设备与主机配对完成之后,作为一个BREDR设备,会走SDP的流程进行服务搜索,当服务搜索完成之后,上层应用得到了该设备的相关的服务,将启动相关的profile 的连接流程,如果对方是一个音箱设备,那么就会触发a2dp的连接流程。我们就从开始调用a2dp connect的地方进行分析:

D/BluetoothA2dp( ): connect(C9:::F2:3C:B6)

上面的log 的打印是在BluetoothA2dp.java 中,

    public boolean connect(BluetoothDevice device) {
if (DBG) log("connect(" + device + ")");
if (mService != null && isEnabled() &&
isValidDevice(device)) {
try {
return mService.connect(device);//进行连接
} catch (RemoteException e) {
Log.e(TAG, "Stack:" + Log.getStackTraceString(new Throwable()));
return false;
}
}
if (mService == null) Log.w(TAG, "Proxy not attached to service");
return false;
}

注:文章中涉及到 Android里面的通信机制,binder之类的机制,限于篇幅,暂时不讲,重点讲 代码的执行流程。

这里的mService 就是A2dpService,其实现在package/app/bluetooth 下面,我们继续看:

    public boolean connect(BluetoothDevice device) {
enforceCallingOrSelfPermission(BLUETOOTH_ADMIN_PERM,
"Need BLUETOOTH ADMIN permission"); if (getPriority(device) == BluetoothProfile.PRIORITY_OFF) {//在上传uuid的时候就已经设置了PRIORITY_ON
return false;
}
ParcelUuid[] featureUuids = device.getUuids();
if ((BluetoothUuid.containsAnyUuid(featureUuids, A2DP_SOURCE_UUID)) &&
!(BluetoothUuid.containsAllUuids(featureUuids ,A2DP_SOURCE_SINK_UUIDS))) {//判断是否支持sink
Log.e(TAG,"Remote does not have A2dp Sink UUID");
return false;
} int connectionState = mStateMachine.getConnectionState(device);
if (connectionState == BluetoothProfile.STATE_CONNECTED ||
connectionState == BluetoothProfile.STATE_CONNECTING) {
return false;
} mStateMachine.sendMessage(A2dpStateMachine.CONNECT, device);//发送消息进行连接
return true;
}

下面接着看 消息的处理,这个消息是发往A2dpStateMachine的,最开始是进入到Disconnected的状态机,看看其处理:

switch(message.what) {
case CONNECT:
BluetoothDevice device = (BluetoothDevice) message.obj;
broadcastConnectionState(device, BluetoothProfile.STATE_CONNECTING,
BluetoothProfile.STATE_DISCONNECTED); if (!connectA2dpNative(getByteAddress(device)) ) {//调用native 的connect
broadcastConnectionState(device, BluetoothProfile.STATE_DISCONNECTED,
BluetoothProfile.STATE_CONNECTING);
break;
}

这里涉及到JNI的通信,其机制很简单,限于篇幅也不讲解了。其实现在com_android_com_android_bluetooh.cpp中:

static jboolean connectA2dpNative(JNIEnv *env, jobject object, jbyteArray address) {
jbyte *addr;
bt_bdaddr_t * btAddr;
bt_status_t status; ALOGI("%s: sBluetoothA2dpInterface: %p", __FUNCTION__, sBluetoothA2dpInterface);
if (!sBluetoothA2dpInterface) return JNI_FALSE; addr = env->GetByteArrayElements(address, NULL);
btAddr = (bt_bdaddr_t *) addr;
if (!addr) {
jniThrowIOException(env, EINVAL);
return JNI_FALSE;
} if ((status = sBluetoothA2dpInterface->connect((bt_bdaddr_t *)addr)) != BT_STATUS_SUCCESS) {//调用bluedroid里面的a2dp的connect接口
ALOGE("Failed HF connection, status: %d", status);
}
env->ReleaseByteArrayElements(address, addr, );
return (status == BT_STATUS_SUCCESS) ? JNI_TRUE : JNI_FALSE;
}

到这里之后,连接的流程就直接进入到协议栈了,这之后就完全是C语言的代码,a2dp的connect 接口实现在btif_av.c里面 ,我们继续看,

static bt_status_t src_connect_sink(bt_bdaddr_t *bd_addr)
{
CHECK_BTAV_INIT(); return btif_queue_connect(UUID_SERVCLASS_AUDIO_SOURCE, bd_addr, connect_int);
}

我们继续看 btif_queue_connect 做了什么?从他的注释中,我们看出他是先把建立连接的信息加入到queue中,并且触发queue中的下一次的连接操作。

/*******************************************************************************
**
** Function btif_queue_connect
**
** Description Add a new connection to the queue and trigger the next
** scheduled connection.
**
** Returns BT_STATUS_SUCCESS if successful
**
*******************************************************************************/
bt_status_t btif_queue_connect(uint16_t uuid, const bt_bdaddr_t *bda, btif_connect_cb_t connect_cb) {
connect_node_t node;
memset(&node, , sizeof(connect_node_t));
memcpy(&node.bda, bda, sizeof(bt_bdaddr_t));
node.uuid = uuid;
node.connect_cb = connect_cb; return btif_transfer_context(queue_int_handle_evt, BTIF_QUEUE_CONNECT_EVT,
(char *)&node, sizeof(connect_node_t), NULL);
}

把建立连接的事情 transfer到 btif task中,我们继续看:

static void queue_int_handle_evt(UINT16 event, char *p_param) {
switch(event) {
case BTIF_QUEUE_CONNECT_EVT:
queue_int_add((connect_node_t *)p_param);//这里果然是加入到队列中了
break; case BTIF_QUEUE_ADVANCE_EVT:
queue_int_advance();
break;
} if (stack_manager_get_interface()->get_stack_is_running())
btif_queue_connect_next();//触发下一个连接
}

我们看看btif_queue_connect_next 的实现:

// This function dispatches the next pending connect request. It is called from
// stack_manager when the stack comes up.
bt_status_t btif_queue_connect_next(void) {
if (!connect_queue || list_is_empty(connect_queue))
return BT_STATUS_FAIL; connect_node_t *p_head = list_front(connect_queue); // If the queue is currently busy, we return success anyway,
// since the connection has been queued...
if (p_head->busy)
return BT_STATUS_SUCCESS; p_head->busy = true;
return p_head->connect_cb(&p_head->bda, p_head->uuid);//执行队列中第一个连接任务
}

看到上面的代码,我们明白,a2dp的连接执行的函数就是connect_int(bd_addr,UUID_SERVCLASS_AUDIO_SOURCE) ,我们继续分析这个函数:

/*******************************************************************************
**
** Function connect
**
** Description Establishes the AV signalling channel with the remote headset
**
** Returns bt_status_t
**
*******************************************************************************/ static bt_status_t connect_int(bt_bdaddr_t *bd_addr, uint16_t uuid)
{
btif_av_connect_req_t connect_req;
connect_req.target_bda = bd_addr;
connect_req.uuid = uuid; btif_av_cb.uuid = uuid;//保存uuid:UUID_SERVCLASS_AUDIO_SOURCE btif_sm_dispatch(btif_av_cb.sm_handle, BTIF_AV_CONNECT_REQ_EVT, (char*)&connect_req);//放置到状态表中让其自动执行 return BT_STATUS_SUCCESS;
}

当前的状态是idle,

/*****************************************************************************
**
** Function btif_av_state_idle_handler
**
** Description State managing disconnected AV link
**
** Returns TRUE if event was processed, FALSE otherwise
**
*******************************************************************************/ static BOOLEAN btif_av_state_idle_handler(btif_sm_event_t event, void *p_data)
{
switch (event)
{
...
case BTIF_AV_CONNECT_REQ_EVT:
{
if (event == BTIF_AV_CONNECT_REQ_EVT)
{
memcpy(&btif_av_cb.peer_bda, ((btif_av_connect_req_t*)p_data)->target_bda,
sizeof(bt_bdaddr_t));
BTA_AvOpen(btif_av_cb.peer_bda.address, btif_av_cb.bta_handle,
TRUE, BTA_SEC_AUTHENTICATE, ((btif_av_connect_req_t*)p_data)->uuid);//BTA_AvOpen
}
else if (event == BTA_AV_PENDING_EVT)
{
bdcpy(btif_av_cb.peer_bda.address, ((tBTA_AV*)p_data)->pend.bd_addr);
BTA_AvOpen(btif_av_cb.peer_bda.address, btif_av_cb.bta_handle,
TRUE, BTA_SEC_AUTHENTICATE, UUID_SERVCLASS_AUDIO_SOURCE);
}
btif_sm_change_state(btif_av_cb.sm_handle, BTIF_AV_STATE_OPENING);//上报状态
} break;

状态改变,最终会上报到JNI层,这里就不分析了。下面我们重点分析BTA_AvOpen 流程,这个BTA_AvOpen 函数名字是不是有点眼熟?在a2dp初始化的流程中,出现的两个函数是BTA_AvEnable和BTA_AvRegister,这里来分析其兄弟函数BTA_AvOpen,

/*******************************************************************************
**
** Function BTA_AvOpen
**
** Description Opens an advanced audio/video connection to a peer device.
** When connection is open callback function is called
** with a BTA_AV_OPEN_EVT.
**
** Returns void
**
*******************************************************************************/
void BTA_AvOpen(BD_ADDR bd_addr, tBTA_AV_HNDL handle, BOOLEAN use_rc, tBTA_SEC sec_mask,
UINT16 uuid)
{
tBTA_AV_API_OPEN *p_buf; if ((p_buf = (tBTA_AV_API_OPEN *) GKI_getbuf(sizeof(tBTA_AV_API_OPEN))) != NULL)
{
p_buf->hdr.event = BTA_AV_API_OPEN_EVT;
p_buf->hdr.layer_specific = handle;
bdcpy(p_buf->bd_addr, bd_addr);
p_buf->use_rc = use_rc;
p_buf->sec_mask = sec_mask;
p_buf->switch_res = BTA_AV_RS_NONE;
p_buf->uuid = uuid;
bta_sys_sendmsg(p_buf);
}
}

发送BTA_AV_API_OPEN_EVT 时间到btu task.继续分析:

根据我们之前的分析,这个event是在bta_av_ssm_execute 里面处理的:

/*******************************************************************************
**
** Function bta_av_ssm_execute
**
** Description Stream state machine event handling function for AV
**
**
** Returns void
**
*******************************************************************************/
void bta_av_ssm_execute(tBTA_AV_SCB *p_scb, UINT16 event, tBTA_AV_DATA *p_data)
{
tBTA_AV_SST_TBL state_table;
UINT8 action;
int i, xx;
... /* look up the state table for the current state */
state_table = bta_av_sst_tbl[p_scb->state]; event -= BTA_AV_FIRST_SSM_EVT; /* set next state */
p_scb->state = state_table[event][BTA_AV_SNEXT_STATE]; /* execute action functions */
for(i=; i< BTA_AV_SACTIONS; i++)
{
if ((action = state_table[event][i]) != BTA_AV_SIGNORE)
{
(*p_scb->p_act_tbl[action])(p_scb, p_data);
}
else
break;
} }

发现其处理思路都是差不多,先去查阅状态转换表,然后去执行,当前的stream state machine 的状态是bta_av_sst_init

/* AP_OPEN_EVT */           {BTA_AV_DO_DISC,        BTA_AV_SIGNORE,        BTA_AV_OPENING_SST },

发现其执行的动作是BTA_AV_DO_DISC,下一个状态是BTA_AV_OPENING_SST,执行的函数是bta_av_do_disc_a2d,发现现在做的操作是先搜索,我们看看其具体的实现:

/*******************************************************************************
**
** Function bta_av_do_disc_a2d
**
** Description Do service discovery for A2DP.
**
** Returns void
**
*******************************************************************************/
void bta_av_do_disc_a2d (tBTA_AV_SCB *p_scb, tBTA_AV_DATA *p_data)
{
BOOLEAN ok_continue = FALSE;
tA2D_SDP_DB_PARAMS db_params;
UINT16 attr_list[] = {ATTR_ID_SERVICE_CLASS_ID_LIST,
ATTR_ID_PROTOCOL_DESC_LIST,
ATTR_ID_BT_PROFILE_DESC_LIST};
UINT16 sdp_uuid = ; /* UUID for which SDP has to be done */ memcpy (&(p_scb->open_api), &(p_data->api_open), sizeof(tBTA_AV_API_OPEN)); switch(p_data->api_open.switch_res)
{
case BTA_AV_RS_NONE:
if (bta_av_switch_if_needed(p_scb) || !bta_av_link_role_ok(p_scb, A2D_SET_MULTL_BIT))
{
/* waiting for role switch result. save the api to control block */
memcpy(&p_scb->q_info.open, &p_data->api_open, sizeof(tBTA_AV_API_OPEN));
p_scb->wait |= BTA_AV_WAIT_ROLE_SW_RES_OPEN;
p_scb->q_tag = BTA_AV_Q_TAG_OPEN;
}
else
{
ok_continue = TRUE;
}
break;
...
}
... /* store peer addr other parameters */
bta_av_save_addr(p_scb, p_data->api_open.bd_addr);
p_scb->sec_mask = p_data->api_open.sec_mask;
p_scb->use_rc = p_data->api_open.use_rc; bta_sys_app_open(BTA_ID_AV, p_scb->app_id, p_scb->peer_addr);//power manager相关,略过 /* allocate discovery database */
if (p_scb->p_disc_db == NULL)
{
p_scb->p_disc_db = (tSDP_DISCOVERY_DB *) GKI_getbuf(BTA_AV_DISC_BUF_SIZE);
} /* only one A2D find service is active at a time */
bta_av_cb.handle = p_scb->hndl; if(p_scb->p_disc_db)
{
/* set up parameters */
db_params.db_len = BTA_AV_DISC_BUF_SIZE;
db_params.num_attr = ;
db_params.p_db = p_scb->p_disc_db;
db_params.p_attrs = attr_list;
p_scb->uuid_int = p_data->api_open.uuid;
if (p_scb->uuid_int == UUID_SERVCLASS_AUDIO_SINK)
sdp_uuid = UUID_SERVCLASS_AUDIO_SOURCE;
else if (p_scb->uuid_int == UUID_SERVCLASS_AUDIO_SOURCE)
sdp_uuid = UUID_SERVCLASS_AUDIO_SINK; APPL_TRACE_DEBUG("uuid_int 0x%x, Doing SDP For 0x%x", p_scb->uuid_int, sdp_uuid);
if(A2D_FindService(sdp_uuid, p_scb->peer_addr, &db_params,
bta_av_a2d_sdp_cback) == A2D_SUCCESS)//具体搜索sink service
{
return;
}
}
...
}

上面的流程很简单,就是进行 sink service的搜索,  其实搜索的att list如下:

UINT16              attr_list[] = {ATTR_ID_SERVICE_CLASS_ID_LIST,
ATTR_ID_PROTOCOL_DESC_LIST,
ATTR_ID_BT_PROFILE_DESC_LIST};

我们继续看搜索服务的实现流程:

/******************************************************************************
**
** Function A2D_FindService
**
** Description This function is called by a client application to
** perform service discovery and retrieve SRC or SNK SDP
** record information from a server. Information is
** returned for the first service record found on the
** server that matches the service UUID. The callback
** function will be executed when service discovery is
** complete. There can only be one outstanding call to
** A2D_FindService() at a time; the application must wait
** for the callback before it makes another call to
** the function.
**
** Input Parameters:
** service_uuid: Indicates SRC or SNK.
**
** bd_addr: BD address of the peer device.
**
** p_db: Pointer to the information to initialize
** the discovery database.
**
** p_cback: Pointer to the A2D_FindService()
** callback function.
**
** Output Parameters:
** None.
**
** Returns A2D_SUCCESS if function execution succeeded,
** A2D_INVALID_PARAMS if bad parameters are given.
** A2D_BUSY if discovery is already in progress.
** A2D_FAIL if function execution failed.
**
******************************************************************************/
tA2D_STATUS A2D_FindService(UINT16 service_uuid, BD_ADDR bd_addr,
tA2D_SDP_DB_PARAMS *p_db, tA2D_FIND_CBACK *p_cback)
{
tSDP_UUID uuid_list;
BOOLEAN result = TRUE;
UINT16 a2d_attr_list[] = {ATTR_ID_SERVICE_CLASS_ID_LIST, /* update A2D_NUM_ATTR, if changed */
ATTR_ID_BT_PROFILE_DESC_LIST,
ATTR_ID_SUPPORTED_FEATURES,
ATTR_ID_SERVICE_NAME,
ATTR_ID_PROTOCOL_DESC_LIST,
ATTR_ID_PROVIDER_NAME}; /* set up discovery database */
uuid_list.len = LEN_UUID_16;
uuid_list.uu.uuid16 = service_uuid; if(p_db->p_attrs == NULL || p_db->num_attr == )//已经设置好了
{
p_db->p_attrs = a2d_attr_list;
p_db->num_attr = A2D_NUM_ATTR;
} result = SDP_InitDiscoveryDb(p_db->p_db, p_db->db_len, , &uuid_list, p_db->num_attr,
p_db->p_attrs);//初始化数据库 if (result == TRUE)
{
/* store service_uuid and discovery db pointer */
a2d_cb.find.p_db = p_db->p_db;
a2d_cb.find.service_uuid = service_uuid;
a2d_cb.find.p_cback = p_cback; /* perform service search */
result = SDP_ServiceSearchAttributeRequest(bd_addr, p_db->p_db, a2d_sdp_cback);//执行service search
if(FALSE == result)
{
a2d_cb.find.service_uuid = ;
}
} return (result ? A2D_SUCCESS : A2D_FAIL);
}

关于SDP_ServiceSearchAttributeRequest 这个函数在sdp 服务搜索流程 中已经详细讲过,这里不再详细讲解,搜索完成之后执行回调函数a2d_sdp_cback,我们看其实现:

/******************************************************************************
**
** Function a2d_sdp_cback
**
** Description This is the SDP callback function used by A2D_FindService.
** This function will be executed by SDP when the service
** search is completed. If the search is successful, it
** finds the first record in the database that matches the
** UUID of the search. Then retrieves various parameters
** from the record. When it is finished it calls the
** application callback function.
**
** Returns Nothing.
**
******************************************************************************/
static void a2d_sdp_cback(UINT16 status)
{
tSDP_DISC_REC *p_rec = NULL;
tSDP_DISC_ATTR *p_attr;
BOOLEAN found = FALSE;
tA2D_Service a2d_svc;
tSDP_PROTOCOL_ELEM elem; if (status == SDP_SUCCESS)
{
/* loop through all records we found */
do
{
/* get next record; if none found, we're done */
if ((p_rec = SDP_FindServiceInDb(a2d_cb.find.p_db,
a2d_cb.find.service_uuid, p_rec)) == NULL)
{
break;
}
memset(&a2d_svc, , sizeof(tA2D_Service)); /* get service name */
if ((p_attr = SDP_FindAttributeInRec(p_rec,
ATTR_ID_SERVICE_NAME)) != NULL)
{
a2d_svc.p_service_name = (char *) p_attr->attr_value.v.array;
a2d_svc.service_len = SDP_DISC_ATTR_LEN(p_attr->attr_len_type);
} /* get provider name */
if ((p_attr = SDP_FindAttributeInRec(p_rec,
ATTR_ID_PROVIDER_NAME)) != NULL)
{
a2d_svc.p_provider_name = (char *) p_attr->attr_value.v.array;
a2d_svc.provider_len = SDP_DISC_ATTR_LEN(p_attr->attr_len_type);
} /* get supported features */
if ((p_attr = SDP_FindAttributeInRec(p_rec,
ATTR_ID_SUPPORTED_FEATURES)) != NULL)
{
a2d_svc.features = p_attr->attr_value.v.u16;
} /* get AVDTP version */
if (SDP_FindProtocolListElemInRec(p_rec, UUID_PROTOCOL_AVDTP, &elem))
{
a2d_svc.avdt_version = elem.params[];
A2D_TRACE_DEBUG("avdt_version: 0x%x", a2d_svc.avdt_version);
} /* we've got everything, we're done */
found = TRUE;
break; } while (TRUE);
} a2d_cb.find.service_uuid = ;
/* return info from sdp record in app callback function */
if (a2d_cb.find.p_cback != NULL)
{
(*a2d_cb.find.p_cback)(found, &a2d_svc);//将获取的数据保存在a2d_svc,然后再次调用回调函数bta_av_a2d_sdp_cback上报
} return;
}

此函数就是处理 搜索的结果,然后再次调用bta_av_a2d_sdp_cback来上报结果,我们继续分析这个回调函数,:

/*******************************************************************************
**
** Function bta_av_a2d_sdp_cback
**
** Description A2DP service discovery callback.
**
** Returns void
**
*******************************************************************************/
static void bta_av_a2d_sdp_cback(BOOLEAN found, tA2D_Service *p_service)
{
tBTA_AV_SDP_RES *p_msg;
tBTA_AV_SCB *p_scb; if ((p_msg = (tBTA_AV_SDP_RES *) GKI_getbuf(sizeof(tBTA_AV_SDP_RES))) != NULL)
{
p_msg->hdr.event = (found) ? BTA_AV_SDP_DISC_OK_EVT : BTA_AV_SDP_DISC_FAIL_EVT; p_scb = bta_av_hndl_to_scb(bta_av_cb.handle);
if (p_scb)
{
if (found && (p_service != NULL))
p_scb->avdt_version = p_service->avdt_version;
else
p_scb->avdt_version = 0x00; p_msg->hdr.layer_specific = bta_av_cb.handle;
bta_sys_sendmsg(p_msg);
}
}
}

这里发现是向BTU 线程发送BTA_AV_SDP_DISC_OK_EVT 事件,那说明还不是直接在这个回调函数里面去处理的,我们继续看BTA_AV_SDP_DISC_OK_EVT 的处理:

根据a2dp 初始化一文中的分析,他应该是由bta_av_ssm_execute 来处理,我们看看具体的处理:

 AV Sevent(0x41)=0x1214(SDP_DISC_OK) state=(OPENING)

状态机的处理讨论都是一样的,这里不作细节分析:

/* SDP_DISC_OK_EVT */       {BTA_AV_CONNECT_REQ,    BTA_AV_SIGNORE,        BTA_AV_OPENING_SST },

发现状态不变,下一个状态还是BTA_AV_OPENING_SST,执行的动作是BTA_AV_CONNECT_REQ,那么看起来是要进行请求连接的操作的流程了,我们继续看:

执行的函数是bta_av_connect_req:

/*******************************************************************************
**
** Function bta_av_connect_req
**
** Description Connect AVDTP connection.
**
** Returns void
**
*******************************************************************************/
void bta_av_connect_req (tBTA_AV_SCB *p_scb, tBTA_AV_DATA *p_data)
{
UNUSED(p_data); utl_freebuf((void **) &p_scb->p_disc_db); if (p_scb->coll_mask & BTA_AV_COLL_INC_TMR)
{
/* SNK initiated L2C connection while SRC was doing SDP. */
/* Wait until timeout to check if SNK starts signalling. */
APPL_TRACE_EVENT("bta_av_connect_req: coll_mask = 0x%2X", p_scb->coll_mask);
return;
} AVDT_ConnectReq(p_scb->peer_addr, p_scb->sec_mask, bta_av_dt_cback[p_scb->hdi]);//进入到AVDTP的流程了
}

从函数名称,我们可以发现,a2dp的连接其实是建立在AVDTP 的基础之上的,下面执行到AVDTP 层面的连接了,另外这个函数的第三个参数是 用hdi 作为索引的回调函数,在一簇回调函数中,其实现逻辑是相同的,只是处理的pscb是不同的。现在我们看看 AVDT_ConnectReq的实现:

/*******************************************************************************
**
** Function AVDT_ConnectReq
**
** Description This function initiates an AVDTP signaling connection
** to the peer device. When the connection is completed, an
** AVDT_CONNECT_IND_EVT is sent to the application via its
** control callback function. If the connection attempt fails
** an AVDT_DISCONNECT_IND_EVT is sent. The security mask
** parameter overrides the outgoing security mask set in
** AVDT_Register().
**
** Returns AVDT_SUCCESS if successful, otherwise error.
**
*******************************************************************************/
UINT16 AVDT_ConnectReq(BD_ADDR bd_addr, UINT8 sec_mask, tAVDT_CTRL_CBACK *p_cback)
{
tAVDT_CCB *p_ccb = NULL;
UINT16 result = AVDT_SUCCESS;
tAVDT_CCB_EVT evt; /* find channel control block for this bd addr; if none, allocate one */
if ((p_ccb = avdt_ccb_by_bd(bd_addr)) == NULL)
{
if ((p_ccb = avdt_ccb_alloc(bd_addr)) == NULL)
{
/* could not allocate channel control block */
result = AVDT_NO_RESOURCES;
}
}
... if (result == AVDT_SUCCESS)
{
/* send event to ccb */
evt.connect.p_cback = p_cback;//bta_av_stream0_cback 具体根据index
evt.connect.sec_mask = sec_mask;
avdt_ccb_event(p_ccb, AVDT_CCB_API_CONNECT_REQ_EVT, &evt);//进入avdtp 的状态机
}
return result;
}

这里我们发现,其做的事情,先分配了 tAVDT_CCB 结构,然后发送AVDT_CCB_API_CONNECT_REQ_EVT 进入到AVDTP的状态机中,现在我们看看其状态机实现:

/*******************************************************************************
**
** Function avdt_ccb_event
**
** Description State machine event handling function for ccb
**
**
** Returns Nothing.
**
*******************************************************************************/
void avdt_ccb_event(tAVDT_CCB *p_ccb, UINT8 event, tAVDT_CCB_EVT *p_data)
{
tAVDT_CCB_ST_TBL state_table;
UINT8 action;
int i; /* look up the state table for the current state */
state_table = avdt_ccb_st_tbl[p_ccb->state]; /* set next state */
if (p_ccb->state != state_table[event][AVDT_CCB_NEXT_STATE]) {
p_ccb->state = state_table[event][AVDT_CCB_NEXT_STATE];
} /* execute action functions */
for (i = ; i < AVDT_CCB_ACTIONS; i++)
{
if ((action = state_table[event][i]) != AVDT_CCB_IGNORE)
{
(*avdt_cb.p_ccb_act[action])(p_ccb, p_data);
}
else
{
break;
}
}
}

发现和我们之前遇到的状态机实现的套路是完全一致的,都是先查找对应的状态表,然后设置下一个状态,最后执行状态表中该action 对应的函数。

刚开始的时候AVDT CCB的状态是idle 状态:avdt_ccb_st_idle :

/* API_CONNECT_REQ_EVT */    {AVDT_CCB_SET_CONN,          AVDT_CCB_CHAN_OPEN,         AVDT_CCB_OPENING_ST},

那么下一个状态是AVDT_CCB_OPENING_ST,这里需要注意的是,涉及的状态机非常多,每一个protocol 都可能会涉及到状态机,不要搞乱。

这里执行的action有两个:AVDT_CCB_SET_CONN和AVDT_CCB_CHAN_OPEN,我们分别看其实现:

/*******************************************************************************
**
** Function avdt_ccb_set_conn
**
** Description Set CCB variables associated with AVDT_ConnectReq().
**
**
** Returns void.
**
*******************************************************************************/
void avdt_ccb_set_conn(tAVDT_CCB *p_ccb, tAVDT_CCB_EVT *p_data)
{
/* save callback */
p_ccb->p_conn_cback = p_data->connect.p_cback;//保存回调bta_av_stream0_cback /* set security level */
BTM_SetSecurityLevel(TRUE, "", BTM_SEC_SERVICE_AVDTP, p_data->connect.sec_mask,
AVDT_PSM, BTM_SEC_PROTO_AVDT, AVDT_CHAN_SIG);
}

继续看channel open 的流程:

/*******************************************************************************
**
** Function avdt_ccb_chan_open
**
** Description This function calls avdt_ad_open_req() to
** initiate a signaling channel connection.
**
**
** Returns void.
**
*******************************************************************************/
void avdt_ccb_chan_open(tAVDT_CCB *p_ccb, tAVDT_CCB_EVT *p_data)
{
UNUSED(p_data); BTM_SetOutService(p_ccb->peer_addr, BTM_SEC_SERVICE_AVDTP, AVDT_CHAN_SIG);
avdt_ad_open_req(AVDT_CHAN_SIG, p_ccb, NULL, AVDT_INT);//打开channel
}

我们知道channel 是建立于l2cap,那么打开channel,就会建立l2cap 通道。我们继续分析:

/*******************************************************************************
**
** Function avdt_ad_open_req
**
** Description This function is called by a CCB or SCB to open a transport
** channel. This function allocates and initializes a
** transport channel table entry. The channel can be opened
** in two roles: as an initiator or acceptor. When opened
** as an initiator the function will start an L2CAP connection.
** When opened as an acceptor the function simply configures
** the table entry to listen for an incoming channel.
**
**
** Returns Nothing.
**
*******************************************************************************/
void avdt_ad_open_req(UINT8 type, tAVDT_CCB *p_ccb, tAVDT_SCB *p_scb, UINT8 role)
{
tAVDT_TC_TBL *p_tbl;
UINT16 lcid; if((p_tbl = avdt_ad_tc_tbl_alloc(p_ccb)) == NULL)
{
AVDT_TRACE_ERROR("avdt_ad_open_req: Cannot allocate p_tbl");
return;
} p_tbl->tcid = avdt_ad_type_to_tcid(type, p_scb);// if (type == AVDT_CHAN_SIG)
{
/* if signaling, get mtu from registration control block */
p_tbl->my_mtu = avdt_cb.rcb.ctrl_mtu;
p_tbl->my_flush_to = L2CAP_DEFAULT_FLUSH_TO;
}
else
{
...
} /* if we're acceptor, we're done; just sit back and listen */
if (role == AVDT_ACP)
{
p_tbl->state = AVDT_AD_ST_ACP;
}
/* else we're inititator, start the L2CAP connection */
else //打开l2cap的通道
{
p_tbl->state = AVDT_AD_ST_CONN; /* call l2cap connect req */
if ((lcid = L2CA_ConnectReq(AVDT_PSM, p_ccb->peer_addr)) != )
{
/* if connect req ok, store tcid in lcid table */
avdt_cb.ad.lcid_tbl[lcid - L2CAP_BASE_APPL_CID] = avdt_ad_tc_tbl_to_idx(p_tbl);
AVDT_TRACE_DEBUG("avdt_cb.ad.lcid_tbl[%d] = %d",
(lcid - L2CAP_BASE_APPL_CID), avdt_ad_tc_tbl_to_idx(p_tbl)); avdt_cb.ad.rt_tbl[avdt_ccb_to_idx(p_ccb)][p_tbl->tcid].lcid = lcid;
AVDT_TRACE_DEBUG("avdt_cb.ad.rt_tbl[%d][%d].lcid = 0x%x",
avdt_ccb_to_idx(p_ccb), p_tbl->tcid,
lcid);
}
else
{
/* if connect req failed, call avdt_ad_tc_close_ind() */
avdt_ad_tc_close_ind(p_tbl, );
}
}
}

这里的逻辑其实很简单,就是基于l2cap 建立AVDTP的通道,在AVDTP register 的时候注册到l2cap的数组函数是  avdt_l2c_appl:

   L2CA_Register(AVDT_PSM, (tL2CAP_APPL_INFO *) &avdt_l2c_appl);
/* L2CAP callback function structure */
const tL2CAP_APPL_INFO avdt_l2c_appl = {
avdt_l2c_connect_ind_cback,
avdt_l2c_connect_cfm_cback,
NULL,
avdt_l2c_config_ind_cback,
avdt_l2c_config_cfm_cback,
avdt_l2c_disconnect_ind_cback,
avdt_l2c_disconnect_cfm_cback,
NULL,
avdt_l2c_data_ind_cback,
avdt_l2c_congestion_ind_cback,
NULL /* tL2CA_TX_COMPLETE_CB */
};

l2cap连接之后,对方回复的处理函数应该是avdt_l2c_connect_cfm_cback:,这个函数就不详细分析了,l2cap channel的连接流程都是先连接,然后配置参数,后续的肯定会执行到L2CA_ConfigReq,我们现在看看配置参数完成之后的流程:

/*******************************************************************************
**
** Function avdt_l2c_config_cfm_cback
**
** Description This is the L2CAP config confirm callback function.
**
**
** Returns void
**
*******************************************************************************/
void avdt_l2c_config_cfm_cback(UINT16 lcid, tL2CAP_CFG_INFO *p_cfg)
{
tAVDT_TC_TBL *p_tbl; /* look up info for this channel */
if ((p_tbl = avdt_ad_tc_tbl_by_lcid(lcid)) != NULL)
{
p_tbl->lcid = lcid; /* if in correct state */
if (p_tbl->state == AVDT_AD_ST_CFG)
{
/* if result successful */
if (p_cfg->result == L2CAP_CONN_OK)
{
/* update cfg_flags */
p_tbl->cfg_flags |= AVDT_L2C_CFG_CFM_DONE; /* if configuration complete */
if (p_tbl->cfg_flags & AVDT_L2C_CFG_IND_DONE)
{
avdt_ad_tc_open_ind(p_tbl);//汇报channel open event
}
}
/* else failure */
else
{
/* Send L2CAP disconnect req */
L2CA_DisconnectReq(lcid);
}
}
}
}

我们继续分析avdt_ad_tc_open_ind,其主要是同住ccb、scb channel open event,我们看代码实现:

/*******************************************************************************
**
** Function avdt_ad_tc_open_ind
**
** Description This function is called by the L2CAP interface when
** the L2CAP channel is opened. It looks up the CCB or SCB
** for the channel and sends it an open event.
**
**
** Returns Nothing.
**
*******************************************************************************/
void avdt_ad_tc_open_ind(tAVDT_TC_TBL *p_tbl)
{
tAVDT_CCB *p_ccb;
tAVDT_SCB *p_scb;
tAVDT_OPEN open;
tAVDT_EVT_HDR evt; p_tbl->state = AVDT_AD_ST_OPEN; /* if signaling channel, notify ccb that channel open */
if (p_tbl->tcid == )//当前是先打开signaling channel 进行配置
{
/* set the signal channel to use high priority within the ACL link */
L2CA_SetTxPriority(avdt_cb.ad.rt_tbl[p_tbl->ccb_idx][AVDT_CHAN_SIG].lcid, L2CAP_CHNL_PRIORITY_HIGH); p_ccb = avdt_ccb_by_idx(p_tbl->ccb_idx);
/* use err_param to indicate the role of connection.
* AVDT_ACP, if ACP */
evt.err_param = AVDT_INT;
if(p_tbl->cfg_flags & AVDT_L2C_CFG_CONN_ACP)
{
evt.err_param = AVDT_ACP;
}
avdt_ccb_event(p_ccb, AVDT_CCB_LL_OPEN_EVT, (tAVDT_CCB_EVT *)&evt);//传给ccb来处理
}
/* if media or other channel, notify scb that channel open */
else
{
/* look up scb in stream routing table by ccb, tcid */
p_scb = avdt_scb_by_hdl(avdt_cb.ad.rt_tbl[p_tbl->ccb_idx][p_tbl->tcid].scb_hdl); /* put lcid in event data */
if (p_scb != NULL)
{
open.peer_mtu = p_tbl->peer_mtu;
open.lcid = avdt_cb.ad.rt_tbl[p_tbl->ccb_idx][p_tbl->tcid].lcid;
open.hdr.err_code = avdt_ad_tcid_to_type(p_tbl->tcid);
avdt_scb_event(p_scb, AVDT_SCB_TC_OPEN_EVT, (tAVDT_SCB_EVT *) &open);//传给scb来处理 media channel 信息
}
}
}

这里发现,控制信号是ccb 来处理的,media 数据 是scb 来处理的。我们继续看avdt_ccb_event(p_ccb, AVDT_CCB_LL_OPEN_EVT, (tAVDT_CCB_EVT *)&evt)的处理流程:

传来的事件是AVDT_CCB_LL_OPEN_EVT:

当前的状态是AVDT_CCB_OPENING_ST,

/* LL_OPEN_EVT */            {AVDT_CCB_SND_CMD,           AVDT_CCB_LL_OPENED,         AVDT_CCB_OPEN_ST},

下一个状态是AVDT_CCB_OPEN_ST , 当前状态需要执行的动作是AVDT_CCB_SND_CMD和AVDT_CCB_LL_OPENED,这里分析发现前者是去执行队列中queue住的命令,那这里不去具体分析了,直接看AVDT_CCB_LL_OPENED的流程:

看这个函数的名字,能猜到是已经open 完成,然后做一系列的上报状态的动作。

/*******************************************************************************
**
** Function avdt_ccb_ll_opened
**
** Description Call callback on open.
**
**
** Returns void.
**
*******************************************************************************/
void avdt_ccb_ll_opened(tAVDT_CCB *p_ccb, tAVDT_CCB_EVT *p_data)
{
tAVDT_CTRL avdt_ctrl; p_ccb->ll_opened = TRUE; if (!p_ccb->p_conn_cback)//!= NULL
p_ccb->p_conn_cback = avdt_cb.p_conn_cback;//没有执行 /* call callback */
if (p_ccb->p_conn_cback)
{
avdt_ctrl.hdr.err_code = ;
avdt_ctrl.hdr.err_param = p_data->msg.hdr.err_param;
(*p_ccb->p_conn_cback)(, p_ccb->peer_addr, AVDT_CONNECT_IND_EVT, &avdt_ctrl);//bta_av_stream0_cback
  } }

参考之前a2dp 初始化的分析发现,这里的回调就是bta_av_stream0_cback,我们继续分析:

/*******************************************************************************
**
** Function bta_av_stream0_cback
**
** Description This is the AVDTP callback function for stream events.
**
** Returns void
**
*******************************************************************************/
static void bta_av_stream0_cback(UINT8 handle, BD_ADDR bd_addr, UINT8 event, tAVDT_CTRL *p_data)
{
APPL_TRACE_VERBOSE("bta_av_stream0_cback avdt_handle: %d event=0x%x", handle, event);
bta_av_proc_stream_evt(handle, bd_addr, event, p_data, );
}

BTA_AV_AVDT_CONNECT_EVT

我们继续看bta_av_proc_stream_evt的处理:

/*******************************************************************************
**
** Function bta_av_proc_stream_evt
**
** Description Utility function to compose stream events.
**
** Returns void
**
*******************************************************************************/
static void bta_av_proc_stream_evt(UINT8 handle, BD_ADDR bd_addr, UINT8 event, tAVDT_CTRL *p_data, int index)
{
tBTA_AV_STR_MSG *p_msg;
UINT16 sec_len = ;
tBTA_AV_SCB *p_scb = bta_av_cb.p_scb[index];
int xx;
... if (p_scb && (p_msg = (tBTA_AV_STR_MSG *) GKI_getbuf((UINT16) (sizeof(tBTA_AV_STR_MSG) + sec_len))) != NULL)
{ /* copy event data, bd addr, and handle to event message buffer */
p_msg->hdr.offset = ; if (bd_addr != NULL)
{
bdcpy(p_msg->bd_addr, bd_addr);
APPL_TRACE_DEBUG(" bd_addr:%02x-%02x-%02x-%02x-%02x-%02x",
bd_addr[], bd_addr[],
bd_addr[], bd_addr[],
bd_addr[], bd_addr[]);
} if (p_data != NULL)
{
memcpy(&p_msg->msg, p_data, sizeof (tAVDT_CTRL));
/* copy config params to event message buffer */
...
}
else
p_msg->msg.hdr.err_code = ; /* look up application event */
if ((p_data == NULL) || (p_data->hdr.err_code == ))
{
p_msg->hdr.event = bta_av_stream_evt_ok[event];//从AVDTP的事件转换到BTA的事件BTA_AV_AVDT_CONNECT_EVT
}
else
{
p_msg->hdr.event = bta_av_stream_evt_fail[event];
} p_msg->initiator = FALSE;
if (event == AVDT_SUSPEND_CFM_EVT)
p_msg->initiator = TRUE; p_msg->hdr.layer_specific = p_scb->hndl;
p_msg->handle = handle;
p_msg->avdt_event = event;
bta_sys_sendmsg(p_msg);
}

/* coverity[var_deref_model] */
/* false-positive: bta_av_conn_cback only processes AVDT_CONNECT_IND_EVT and AVDT_DISCONNECT_IND_EVT event
* these 2 events always have associated p_data */
if (p_data)
{
bta_av_conn_cback(handle, bd_addr, event, p_data);
}
else
{
APPL_TRACE_ERROR("%s: p_data is null", __func__);
}

这里做了两件事:

  1. 发送BTA_AV_AVDT_CONNECT_EVT 到btu task
  2. 执行回调bta_av_conn_cback(handle, bd_addr, event, p_data);

BTA_AV_AVDT_CONNECT_EVT根据之前分析,处理该event的状态机是bta_av_ssm_execute,这个是stream control block,是和stream 相关的。

AV Sevent(0x41)=0x1226(AVDT_CONNECT) state=(OPENING)

当前的状态是opening->bta_av_sst_opening,

/* AVDT_CONNECT_EVT */      {BTA_AV_DISCOVER_REQ,   BTA_AV_SIGNORE,        BTA_AV_OPENING_SST },

这里发现,stream 的下一个状态还是opening,这里需要执行的行为是BTA_AV_DISCOVER_REQ, 执行的函数是bta_av_discover_req,这里就开始了AVDTP signaling的流程了。在分析这个流程之前,我们先看一下上面回调函数做了什么?

void bta_av_conn_cback(UINT8 handle, BD_ADDR bd_addr, UINT8 event, tAVDT_CTRL *p_data)
{
tBTA_AV_STR_MSG *p_msg;
UINT16 evt = ; if (event == BTA_AR_AVDT_CONN_EVT ||
event == AVDT_CONNECT_IND_EVT || event == AVDT_DISCONNECT_IND_EVT)
{
evt = BTA_AV_SIG_CHG_EVT;
if(AVDT_DISCONNECT_IND_EVT == event)
p_scb = bta_av_addr_to_scb(bd_addr); if ((p_msg = (tBTA_AV_STR_MSG *) GKI_getbuf((UINT16) (sizeof(tBTA_AV_STR_MSG)))) != NULL)
{
p_msg->hdr.event = evt;//发送BTA_AV_SIG_CHG_EVT
p_msg->hdr.layer_specific = event;//AVDT_CONNECT_IND_EVT = 16
p_msg->hdr.offset = p_data->hdr.err_param;
bdcpy(p_msg->bd_addr, bd_addr); bta_sys_sendmsg(p_msg);
}
} }

该事件 最终会执行:bta_av_sig_chg主要是在bta_av_cb中分配一个和对端地址相对应的tBTA_AV_LCB结构. 对于bta stream state machine没有影响,略过。

下面我们重点分析AVDTP signaling的流程,bta_av_discover_req:这个流程,在hci log也是有所体现,

A2dp连接流程源码分析

大概就是分为discover、get capability、set configuration以及open

下面我们逐步分析这个代码流程:

/*******************************************************************************
**
** Function bta_av_discover_req
**
** Description Send an AVDTP discover request to the peer.
**
** Returns void
**
*******************************************************************************/
void bta_av_discover_req (tBTA_AV_SCB *p_scb, tBTA_AV_DATA *p_data)
{
UNUSED(p_data); /* send avdtp discover request */ AVDT_DiscoverReq(p_scb->peer_addr, p_scb->sep_info, BTA_AV_NUM_SEPS, bta_av_dt_cback[p_scb->hdi]);//即将进入到AVDTP 的状态机
}

搜索的结果会保存到p_Scb_sep_info,下面的代码分析会非常的繁琐,这里分析的意义是为了搞清楚AVDTP是如何用代码的形式呈现出来的。

/*******************************************************************************
**
** Function AVDT_DiscoverReq
**
** Description This function initiates a connection to the AVDTP service
** on the peer device, if not already present, and discovers
** the stream endpoints on the peer device. (Please note
** that AVDTP discovery is unrelated to SDP discovery).
** This function can be called at any time regardless of whether
** there is an AVDTP connection to the peer device.
**
** When discovery is complete, an AVDT_DISCOVER_CFM_EVT
** is sent to the application via its callback function.
** The application must not call AVDT_GetCapReq() or
** AVDT_DiscoverReq() again to the same device until
** discovery is complete.
**
** The memory addressed by sep_info is allocated by the
** application. This memory is written to by AVDTP as part
** of the discovery procedure. This memory must remain
** accessible until the application receives the
** AVDT_DISCOVER_CFM_EVT.
**
** Returns AVDT_SUCCESS if successful, otherwise error.
**
*******************************************************************************/
UINT16 AVDT_DiscoverReq(BD_ADDR bd_addr, tAVDT_SEP_INFO *p_sep_info,
UINT8 max_seps, tAVDT_CTRL_CBACK *p_cback)
{
tAVDT_CCB *p_ccb;
UINT16 result = AVDT_SUCCESS;
tAVDT_CCB_EVT evt; /* find channel control block for this bd addr; if none, allocate one */
if ((p_ccb = avdt_ccb_by_bd(bd_addr)) == NULL)
{
...
} if (result == AVDT_SUCCESS)
{
...
/* send event to ccb */
else
{
evt.discover.p_sep_info = p_sep_info;
evt.discover.num_seps = max_seps;
evt.discover.p_cback = p_cback;
avdt_ccb_event(p_ccb, AVDT_CCB_API_DISCOVER_REQ_EVT, &evt);//进入AVDTP状态机
}
}
return result;
}

我们继续看AVDTP状态机的运转:

/*******************************************************************************
**
** Function avdt_ccb_event
**
** Description State machine event handling function for ccb
**
**
** Returns Nothing.
**
*******************************************************************************/
void avdt_ccb_event(tAVDT_CCB *p_ccb, UINT8 event, tAVDT_CCB_EVT *p_data)
{
tAVDT_CCB_ST_TBL state_table;
UINT8 action;
int i; state_table = avdt_ccb_st_tbl[p_ccb->state]; /* set next state */
if (p_ccb->state != state_table[event][AVDT_CCB_NEXT_STATE]) {
p_ccb->state = state_table[event][AVDT_CCB_NEXT_STATE];
} /* execute action functions */
for (i = ; i < AVDT_CCB_ACTIONS; i++)
{
if ((action = state_table[event][i]) != AVDT_CCB_IGNORE)
{
(*avdt_cb.p_ccb_act[action])(p_ccb, p_data);
}
else
{
break;
}
}
}

根据前面的分析,我们已经知道,当前的AVDTP 的channel 的状态已经是打开状态了:AVDT_CCB_OPEN_ST

/* API_DISCOVER_REQ_EVT */   {AVDT_CCB_SND_DISCOVER_CMD,  AVDT_CCB_SND_CMD,           AVDT_CCB_OPEN_ST},

下一个状态依然是 AVDT_CCB_OPEN_ST,执行的action是AVDT_CCB_SND_DISCOVER_CMD和AVDT_CCB_SND_CMD,

我们来分析一下AVDT_CCB_SND_DISCOVER_CMD,

/*******************************************************************************
**
** Function avdt_ccb_snd_discover_cmd
**
** Description This function is called to send a discover command to the
** peer. It copies variables needed for the procedure from
** the event to the CCB. It marks the CCB as busy and then
** sends a discover command.
**
**
** Returns void.
**
*******************************************************************************/
void avdt_ccb_snd_discover_cmd(tAVDT_CCB *p_ccb, tAVDT_CCB_EVT *p_data)
{
/* store info in ccb struct */
p_ccb->p_proc_data = p_data->discover.p_sep_info;
p_ccb->proc_cback = p_data->discover.p_cback;
p_ccb->proc_param = p_data->discover.num_seps; /* we're busy */
p_ccb->proc_busy = TRUE;//标志当前状态为busy /* build and queue discover req */
avdt_msg_send_cmd(p_ccb, NULL, AVDT_SIG_DISCOVER, NULL);
}

这个函数就是 向对方的设备发送一个discovery的请求,对应的hci log中:Signaling Identifier: AVDTP_DISCOVER

这里因为篇幅的原因就不往下 再分析avdt_msg_send_cmd的流程了。

那当对方回应我们的这条数据的时候,会调用到哪个函数呢?这个其实上面已经分析了L2CA_Register这个函数,(当然L2cap 的状态机轮转,我们这里就不分析了),注册的是avdt_l2c_appl,

执行的函数是avdt_l2c_data_ind_cback,这里也是一步步路由,从l2cap 上传上来的event 是AVDTP_CCB_MSG_DISCOVER_RSP_EVT,到 channel control block:

/* MSG_DISCOVER_RSP_EVT */   {AVDT_CCB_CHK_CLOSE,         AVDT_CCB_HDL_DISCOVER_RSP,  AVDT_CCB_OPEN_ST},

然后执行action:AVDT_CCB_HDL_DISCOVER_RSP,下一个状态依然不变,都是打开状态,我们继续看其实现:avdt_ccb_hdl_discover_rsp:

/*******************************************************************************
**
** Function avdt_ccb_hdl_discover_rsp
**
** Description This function is called when a discover response or
** reject is received from the peer. It calls the application
** callback function with the results.
**
**
** Returns void.
**
*******************************************************************************/
void avdt_ccb_hdl_discover_rsp(tAVDT_CCB *p_ccb, tAVDT_CCB_EVT *p_data)
{
/* we're done with procedure */
p_ccb->proc_busy = FALSE; /* call app callback with results */
(*p_ccb->proc_cback)(, p_ccb->peer_addr, AVDT_DISCOVER_CFM_EVT,
(tAVDT_CTRL *)(&p_data->msg.discover_rsp));
}

p_ccb->proc_cback其实就是之前 进行AVDT_DiscoverReq传入的参数bta_av_stream0_cback(这里假定就是bta_av_stream0_cback),

/*******************************************************************************
**
** Function bta_av_stream0_cback
**
** Description This is the AVDTP callback function for stream events.
**
** Returns void
**
*******************************************************************************/
static void bta_av_stream0_cback(UINT8 handle, BD_ADDR bd_addr, UINT8 event, tAVDT_CTRL *p_data)
{
APPL_TRACE_VERBOSE("bta_av_stream0_cback avdt_handle: %d event=0x%x", handle, event);
bta_av_proc_stream_evt(handle, bd_addr, event, p_data, );
}

发现执行的真正的函数是bta_av_proc_stream_evt,并且最后一个参数是 index,这样封装有什么好处呢?我能想到的是 使得代码的层次感很强,可读性很好。

我们继续分析:

        /* look up application event */
if ((p_data == NULL) || (p_data->hdr.err_code == ))
{
p_msg->hdr.event = bta_av_stream_evt_ok[event];//将AVDTP的event 转换成BTA的event:AVDT_DISCOVER_CFM_EVT-->BTA_AV_STR_DISC_OK_EVT
}
else
{
p_msg->hdr.event = bta_av_stream_evt_fail[event];
} p_msg->initiator = FALSE;
if (event == AVDT_SUSPEND_CFM_EVT)
p_msg->initiator = TRUE; APPL_TRACE_VERBOSE("hndl:x%x", p_scb->hndl);
p_msg->hdr.layer_specific = p_scb->hndl;
p_msg->handle = handle;
p_msg->avdt_event = event;
bta_sys_sendmsg(p_msg);//发送mesg
} /* coverity[var_deref_model] */
/* false-positive: bta_av_conn_cback only processes AVDT_CONNECT_IND_EVT and AVDT_DISCONNECT_IND_EVT event
* these 2 events always have associated p_data */
if (p_data)
{
bta_av_conn_cback(handle, bd_addr, event, p_data);
}
else
{
APPL_TRACE_ERROR("%s: p_data is null", __func__);
}
}

发送的event 是 AVDT_DISCOVER_CFM_EVT,这里发现最后的回调bta_av_conn_cback是不处理 这个event 的,我们直接看看发送msg 到btu task的情况。

    BTA_AV_STR_DISC_OK_EVT,//0x1216
BTA got event 0x1216

发送到btu 的event ,最终路由到bta_av_hdl_event 来统一处理,这里根据不同的event ,也是路由到不同的处理函数,当前的0x1216 是通过bta_av_ssm_execute  来处理:

当前的状态是bta_av_sst_opening,

/* STR_DISC_OK_EVT */       {BTA_AV_DISC_RESULTS,   BTA_AV_SIGNORE,        BTA_AV_OPENING_SST },

下一个状态依然是BTA_AV_OPENING_SST,执行的action 是BTA_AV_DISC_RESULTS,那么看来是要对discovery 的结果进行处理,

/*******************************************************************************
**
** Function bta_av_disc_results
**
** Description Handle the AVDTP discover results. Search through the
** results and find the first available stream, and get
** its capabilities.
**
** Returns void
**
*******************************************************************************/
void bta_av_disc_results (tBTA_AV_SCB *p_scb, tBTA_AV_DATA *p_data)
{
UINT8 num_snks = , num_srcs =, i;
/* our uuid in case we initiate connection */
UINT16 uuid_int = p_scb->uuid_int; APPL_TRACE_DEBUG(" initiator UUID 0x%x", uuid_int);
/* store number of stream endpoints returned */
p_scb->num_seps = p_data->str_msg.msg.discover_cfm.num_seps; for (i = ; i < p_scb->num_seps; i++)
{
/* steam not in use, is a sink, and is audio */
if ((p_scb->sep_info[i].in_use == FALSE) &&
(p_scb->sep_info[i].media_type == p_scb->media_type))
{
if((p_scb->sep_info[i].tsep == AVDT_TSEP_SNK) &&
(uuid_int == UUID_SERVCLASS_AUDIO_SOURCE))
num_snks++; if((p_scb->sep_info[i].tsep == AVDT_TSEP_SRC) &&
(uuid_int == UUID_SERVCLASS_AUDIO_SINK))
num_srcs++; }
} p_scb->p_cos->disc_res(p_scb->hndl, p_scb->num_seps, num_snks, num_srcs, p_scb->peer_addr,uuid_int);//bta_av_co_audio_disc_res
p_scb->num_disc_snks = num_snks;
p_scb->num_disc_srcs = num_srcs; /* if we got any */
if (p_scb->num_seps > )
{
/* initialize index into discovery results */
p_scb->sep_info_idx = ; /* get the capabilities of the first available stream */
bta_av_next_getcap(p_scb, p_data);//开始了获取各个端子的能力
}
/* else we got discover response but with no streams; we're done */
else
{
bta_av_ssm_execute(p_scb, BTA_AV_STR_DISC_FAIL_EVT, p_data);
}
}

从这里,我们意识到 代码的流程在处理 discovery 的resp的时候,当拿到对端 端子的数据的时候,就开始 对各个端子进行 获取能力。

下面我们看bta_av_next_getcap的流程:其对应到hci 的log,如下:

A2dp连接流程源码分析

我们 进一步分析:

/*******************************************************************************
**
** Function bta_av_next_getcap
**
** Description The function gets the capabilities of the next available
** stream found in the discovery results.
**
** Returns TRUE if we sent request to AVDT, FALSE otherwise.
**
*******************************************************************************/
static BOOLEAN bta_av_next_getcap(tBTA_AV_SCB *p_scb, tBTA_AV_DATA *p_data)
{
int i;
tAVDT_GETCAP_REQ *p_req;
BOOLEAN sent_cmd = FALSE;
UINT16 uuid_int = p_scb->uuid_int;
UINT8 sep_requested = ; if(uuid_int == UUID_SERVCLASS_AUDIO_SOURCE)
sep_requested = AVDT_TSEP_SNK;
else if(uuid_int == UUID_SERVCLASS_AUDIO_SINK)
sep_requested = AVDT_TSEP_SRC; for (i = p_scb->sep_info_idx; i < p_scb->num_seps; i++)
{
/* steam not in use, is a sink, and is the right media type (audio/video) */
if ((p_scb->sep_info[i].in_use == FALSE) &&
(p_scb->sep_info[i].tsep == sep_requested) &&
(p_scb->sep_info[i].media_type == p_scb->media_type))
{
p_scb->sep_info_idx = i; /* we got a stream; get its capabilities */
if (p_scb->p_cap == NULL)
{
p_scb->p_cap = (tAVDT_CFG *) GKI_getbuf(sizeof(tAVDT_CFG));
}
if (p_scb->p_cap == NULL)
{
i = p_scb->num_seps;
break;
}
if (p_scb->avdt_version >= AVDT_VERSION_SYNC)
{
p_req = AVDT_GetAllCapReq;//获取cap的函数
}
else
{
p_req = AVDT_GetCapReq;
}
(*p_req)(p_scb->peer_addr,
p_scb->sep_info[i].seid,
p_scb->p_cap, bta_av_dt_cback[p_scb->hdi]);//开始获取cap
sent_cmd = TRUE;
break;
}
} ...
return sent_cmd; }

这里注意获取cap的最后一个参数和 discovery 的最后一个参数一样,其本质都是bta_av_stream0_cback回调函数。我们继续分析:

/*******************************************************************************
**
** Function AVDT_GetAllCapReq
**
** Description This function initiates a connection to the AVDTP service
** on the peer device, if not already present, and gets the
** capabilities of a stream endpoint on the peer device.
** This function can be called at any time regardless of
** whether there is an AVDTP connection to the peer device.
**
** When the procedure is complete, an AVDT_GETCAP_CFM_EVT is
** sent to the application via its callback function. The
** application must not call AVDT_GetCapReq() or
** AVDT_DiscoverReq() again until the procedure is complete.
**
** The memory pointed to by p_cfg is allocated by the
** application. This memory is written to by AVDTP as part
** of the get capabilities procedure. This memory must
** remain accessible until the application receives
** the AVDT_GETCAP_CFM_EVT.
**
** Returns AVDT_SUCCESS if successful, otherwise error.
**
*******************************************************************************/
UINT16 AVDT_GetAllCapReq(BD_ADDR bd_addr, UINT8 seid, tAVDT_CFG *p_cfg, tAVDT_CTRL_CBACK *p_cback)
{
tAVDT_CCB_API_GETCAP getcap; getcap.single.seid = seid;
getcap.single.sig_id = AVDT_SIG_GET_ALLCAP;
getcap.p_cfg = p_cfg;
getcap.p_cback = p_cback;
return avdt_get_cap_req (bd_addr, &getcap);
}

这里函数的注释写的非常清楚,就不多加介绍了。最终会执行avdt_ccb_event 进入到AVDTP的状态机中,当函数返回的时候,这部分的流程和discovery的流程非常的相似,只是执行的具体的函数不一样,当get cap的函数返回的时候,会有

MSG_GETCAP_RSP_EVT 的返回,

/* MSG_GETCAP_RSP_EVT */     {AVDT_CCB_CHK_CLOSE,         AVDT_CCB_HDL_GETCAP_RSP,    AVDT_CCB_OPEN_ST},

这里讨论都类似,我们看看 AVDT_CCB_HDL_GETCAP_RSP 执行的动作:avdt_ccb_hdl_getcap_rsp

/*******************************************************************************
**
** Function avdt_ccb_hdl_getcap_rsp
**
** Description This function is called with a get capabilities response
** or reject is received from the peer. It calls the
** application callback function with the results.
**
**
** Returns void.
**
*******************************************************************************/
void avdt_ccb_hdl_getcap_rsp(tAVDT_CCB *p_ccb, tAVDT_CCB_EVT *p_data)
{
/* we're done with procedure */
p_ccb->proc_busy = FALSE; /* call app callback with results */
(*p_ccb->proc_cback)(, p_ccb->peer_addr, AVDT_GETCAP_CFM_EVT,
(tAVDT_CTRL *)(&p_data->msg.svccap));//和discovery一样,执行回调bta_av_stream0_cback
}

我们继续看:

想想discovery 的流程是如何处理的?这里也是类似的,

        /* look up application event */
if ((p_data == NULL) || (p_data->hdr.err_code == ))
{
p_msg->hdr.event = bta_av_stream_evt_ok[event];//BTA_AV_STR_GETCAP_OK_EVT
}
else
{
p_msg->hdr.event = bta_av_stream_evt_fail[event];
} p_msg->initiator = FALSE;
if (event == AVDT_SUSPEND_CFM_EVT)
p_msg->initiator = TRUE; APPL_TRACE_VERBOSE("hndl:x%x", p_scb->hndl);
p_msg->hdr.layer_specific = p_scb->hndl;
p_msg->handle = handle;
p_msg->avdt_event = event;
bta_sys_sendmsg(p_msg);

看看对于这个事件的处理,肯定也是处理get cap的results:

/* STR_GETCAP_OK_EVT */     {BTA_AV_GETCAP_RESULTS, BTA_AV_SIGNORE,        BTA_AV_OPENING_SST },

我们看看 对于这个event的处理:

A2dp连接流程源码分析

从上面的hci log,我们应该可以猜测到,这个函数里面处理了 get cap的结果之后,肯定是要进行set configuration 的动作:

/*******************************************************************************
**
** Function bta_av_getcap_results
**
** Description Handle the AVDTP get capabilities results. Check the codec
** type and see if it matches ours. If it does not, get the
** capabilities of the next stream, if any.
**
** Returns void
**
*******************************************************************************/
void bta_av_getcap_results (tBTA_AV_SCB *p_scb, tBTA_AV_DATA *p_data)
{
tAVDT_CFG cfg;
UINT8 media_type;
tAVDT_SEP_INFO *p_info = &p_scb->sep_info[p_scb->sep_info_idx];
UINT16 uuid_int; /* UUID for which connection was initiatied */ memcpy(&cfg, &p_scb->cfg, sizeof(tAVDT_CFG));
cfg.num_codec = ;
cfg.num_protect = p_scb->p_cap->num_protect;
memcpy(cfg.codec_info, p_scb->p_cap->codec_info, AVDT_CODEC_SIZE);
memcpy(cfg.protect_info, p_scb->p_cap->protect_info, AVDT_PROTECT_SIZE);
media_type = p_scb->p_cap->codec_info[BTA_AV_MEDIA_TYPE_IDX] >> ; /* if codec present and we get a codec configuration */
if ((p_scb->p_cap->num_codec != ) &&
(media_type == p_scb->media_type) &&
(p_scb->p_cos->getcfg(p_scb->hndl, p_scb->p_cap->codec_info[BTA_AV_CODEC_TYPE_IDX],
cfg.codec_info, &p_scb->sep_info_idx, p_info->seid,
&cfg.num_protect, cfg.protect_info) == ))
{
#if AVDT_MULTIPLEXING == TRUE
cfg.mux_mask &= p_scb->p_cap->mux_mask;
#endif
/* save copy of codec type and configuration */
p_scb->codec_type = cfg.codec_info[BTA_AV_CODEC_TYPE_IDX];
memcpy(&p_scb->cfg, &cfg, sizeof(tAVDT_CFG)); uuid_int = p_scb->uuid_int;
if (uuid_int == UUID_SERVCLASS_AUDIO_SOURCE)
bta_av_adjust_seps_idx(p_scb, bta_av_get_scb_handle(p_scb, AVDT_TSEP_SRC));
else if (uuid_int == UUID_SERVCLASS_AUDIO_SINK)
bta_av_adjust_seps_idx(p_scb, bta_av_get_scb_handle(p_scb, AVDT_TSEP_SNK)); /* use only the services peer supports */
cfg.psc_mask &= p_scb->p_cap->psc_mask;
p_scb->cur_psc_mask = cfg.psc_mask; ...
/* open the stream */
AVDT_OpenReq(p_scb->seps[p_scb->sep_idx].av_handle, p_scb->peer_addr,p_scb->sep_info[p_scb->sep_info_idx].seid, &cfg);//打开请求 if (!bta_av_is_rcfg_sst(p_scb))
{
/* free capabilities buffer */
utl_freebuf((void **) &p_scb->p_cap);
}
}
else
{
/* try the next stream, if any */
p_scb->sep_info_idx++;
bta_av_next_getcap(p_scb, p_data);
} }

我们发现上面代码流程直接走了 AVDTP open的流程,为什么没有去set configuration,我们继续看:

/*******************************************************************************
**
** Function AVDT_OpenReq
**
** Description This function initiates a connection to the AVDTP service
** on the peer device, if not already present, and connects
** to a stream endpoint on a peer device. When the connection
** is completed, an AVDT_OPEN_CFM_EVT is sent to the
** application via the control callback function for this handle.
**
** Returns AVDT_SUCCESS if successful, otherwise error.
**
*******************************************************************************/
UINT16 AVDT_OpenReq(UINT8 handle, BD_ADDR bd_addr, UINT8 seid, tAVDT_CFG *p_cfg)
{
tAVDT_CCB *p_ccb = NULL;
tAVDT_SCB *p_scb = NULL;
UINT16 result = AVDT_SUCCESS;
tAVDT_SCB_EVT evt; /* verify SEID */
if ((seid < AVDT_SEID_MIN) || (seid > AVDT_SEID_MAX))
{
result = AVDT_BAD_PARAMS;
}
/* map handle to scb */
else if ((p_scb = avdt_scb_by_hdl(handle)) == NULL)
{
result = AVDT_BAD_HANDLE;
}
/* find channel control block for this bd addr; if none, allocate one */
else if ((p_ccb = avdt_ccb_by_bd(bd_addr)) == NULL)
{
if ((p_ccb = avdt_ccb_alloc(bd_addr)) == NULL)
{
/* could not allocate channel control block */
result = AVDT_NO_RESOURCES;
}
} /* send event to scb */
if (result == AVDT_SUCCESS)
{
evt.msg.config_cmd.hdr.seid = seid;
evt.msg.config_cmd.hdr.ccb_idx = avdt_ccb_to_idx(p_ccb);
evt.msg.config_cmd.int_seid = handle;
evt.msg.config_cmd.p_cfg = p_cfg;
avdt_scb_event(p_scb, AVDT_SCB_API_SETCONFIG_REQ_EVT, &evt);//进行set configuration
}
return result;
}

我们发现是在open 里面实现的:,这里需要注意,我们前面discovery和get cap 都是 发送给ccb,但是这里开始发送给scb,此时的scb还是idle的状态,

/* API_SETCONFIG_REQ_EVT */ {AVDT_SCB_SND_SETCONFIG_REQ,    AVDT_SCB_IGNORE,            AVDT_SCB_IDLE_ST},

那么scb 的下一个状态依然是idle 状态。 这里执行的action 是AVDT_SCB_SND_SETCONFIG_REQ,我们具体看看:

这里执行的函数 是avdt_scb_snd_setconfig_req:我们继续分析下这个函数:

/*******************************************************************************
**
** Function avdt_scb_snd_setconfig_req
**
** Description This function marks the SCB as in use and copies the
** configuration parameters to the SCB. Then the function
** sends a set configuration command message and initiates
** opening of the signaling channel.
**
** Returns Nothing.
**
*******************************************************************************/
void avdt_scb_snd_setconfig_req(tAVDT_SCB *p_scb, tAVDT_SCB_EVT *p_data)
{
tAVDT_CFG *p_req, *p_cfg; /* copy API parameters to scb, set scb as in use */
p_scb->in_use = TRUE;
p_scb->p_ccb = avdt_ccb_by_idx(p_data->msg.config_cmd.hdr.ccb_idx);
p_scb->peer_seid = p_data->msg.config_cmd.hdr.seid;
p_req = p_data->msg.config_cmd.p_cfg;
p_cfg = &p_scb->cs.cfg;
#if AVDT_MULTIPLEXING == TRUE
p_req->mux_tsid_media = p_cfg->mux_tsid_media;
p_req->mux_tcid_media = p_cfg->mux_tcid_media;
if(p_req->psc_mask & AVDT_PSC_REPORT)
{
p_req->mux_tsid_report = p_cfg->mux_tsid_report;
p_req->mux_tcid_report = p_cfg->mux_tcid_report;
}
#endif
memcpy(&p_scb->req_cfg, p_data->msg.config_cmd.p_cfg, sizeof(tAVDT_CFG)); avdt_msg_send_cmd(p_scb->p_ccb, p_scb, AVDT_SIG_SETCONFIG, &p_data->msg);//发送set config 的消息 /* tell ccb to open channel */
avdt_ccb_event(p_scb->p_ccb, AVDT_CCB_UL_OPEN_EVT, NULL);//什么也没做
}

分析到avdt_msg_send_cmd,我们这里就不往下继续分析了,后续对端收到set configuration的消息之后会回复我们。

现在我们看下avdt_ccb_event(p_scb->p_ccb, AVDT_CCB_UL_OPEN_EVT, NULL);做的事情,按照之前的逻辑,stream channel open的操作应该是在set configuration rsp 里面执行,我们看看是不是这样:

/* LL_OPEN_EVT */            {AVDT_CCB_IGNORE,            AVDT_CCB_IGNORE,            AVDT_CCB_OPEN_ST},

我们发现,其action 都是ignore,所以什么也没干,状态还是AVDT_CCB_OPEN_ST

下面我们继续分析,set configuration 之后的rsp 的处理:

/*******************************************************************************
**
** Function avdt_l2c_data_ind_cback
**
** Description This is the L2CAP data indication callback function.
**
**
** Returns void
**
*******************************************************************************/
void avdt_l2c_data_ind_cback(UINT16 lcid, BT_HDR *p_buf)
{
tAVDT_TC_TBL *p_tbl;
/* look up info for this channel */
if ((p_tbl = avdt_ad_tc_tbl_by_lcid(lcid)) != NULL)
{
avdt_ad_tc_data_ind(p_tbl, p_buf);
}
else /* prevent buffer leak */
GKI_freebuf(p_buf);
}

找到对应的channel:

/*******************************************************************************
**
** Function avdt_ad_tc_data_ind
**
** Description This function is called by the L2CAP interface layer when
** incoming data is received from L2CAP. It looks up the CCB
** or SCB for the channel and routes the data accordingly.
**
**
** Returns Nothing.
**
*******************************************************************************/
void avdt_ad_tc_data_ind(tAVDT_TC_TBL *p_tbl, BT_HDR *p_buf)
{
tAVDT_CCB *p_ccb;
tAVDT_SCB *p_scb;
/* store type (media, recovery, reporting) */
p_buf->layer_specific = avdt_ad_tcid_to_type(p_tbl->tcid); /* if signaling channel, handle control message */
if (p_tbl->tcid == )
{
p_ccb = avdt_ccb_by_idx(p_tbl->ccb_idx);
avdt_msg_ind(p_ccb, p_buf);//signal channel
}
/* if media or other channel, send event to scb */
else
{
p_scb = avdt_scb_by_hdl(avdt_cb.ad.rt_tbl[p_tbl->ccb_idx][p_tbl->tcid].scb_hdl);
if (p_scb != NULL)
{
avdt_scb_event(p_scb, AVDT_SCB_TC_DATA_EVT, (tAVDT_SCB_EVT *) &p_buf);
}
else
{
GKI_freebuf(p_buf);
AVDT_TRACE_ERROR(" avdt_ad_tc_data_ind buffer freed");
}
}
}

我们当前是signal 信号:执行avdt_msg_ind 函数:

/*******************************************************************************
**
** Function avdt_msg_ind
**
** Description This function is called by the adaption layer when an
** incoming message is received on the signaling channel.
** It parses the message and sends an event to the appropriate
** SCB or CCB for the message.
**
**
** Returns Nothing.
**
*******************************************************************************/
void avdt_msg_ind(tAVDT_CCB *p_ccb, BT_HDR *p_buf)
{
tAVDT_SCB *p_scb;
...
if (ok && !gen_rej)
{
/* skip over header (msg length already verified during reassembly) */
p_buf->len -= AVDT_LEN_TYPE_SINGLE; /* set up to parse message */
if ((msg_type == AVDT_MSG_TYPE_RSP) && (sig == AVDT_SIG_DISCOVER))
{
/* parse discover rsp message to struct supplied by app */
msg.discover_rsp.p_sep_info = (tAVDT_SEP_INFO *) p_ccb->p_proc_data;
msg.discover_rsp.num_seps = p_ccb->proc_param;
}
else if ((msg_type == AVDT_MSG_TYPE_RSP) &&
((sig == AVDT_SIG_GETCAP) || (sig == AVDT_SIG_GET_ALLCAP)))
{
/* parse discover rsp message to struct supplied by app */
msg.svccap.p_cfg = (tAVDT_CFG *) p_ccb->p_proc_data;
}
else if ((msg_type == AVDT_MSG_TYPE_RSP) && (sig == AVDT_SIG_GETCONFIG))
{
/* parse get config rsp message to struct allocated locally */
msg.svccap.p_cfg = &cfg;
}
else if ((msg_type == AVDT_MSG_TYPE_CMD) && (sig == AVDT_SIG_SETCONFIG))
{
/* parse config cmd message to struct allocated locally */
msg.config_cmd.p_cfg = &cfg;
}
...
/* parse message; while we're at it map message sig to event */
if (msg_type == AVDT_MSG_TYPE_CMD)
{
msg.hdr.err_code = err = (*avdt_msg_prs_cmd[sig - ])(&msg, p, p_buf->len);
evt = avdt_msg_cmd_2_evt[sig - ];
}
else if (msg_type == AVDT_MSG_TYPE_RSP)
{
msg.hdr.err_code = err = (*avdt_msg_prs_rsp[sig - ])(&msg, p, p_buf->len);
evt = avdt_msg_rsp_2_evt[sig - ];//找到对应的event
}
else /* msg_type == AVDT_MSG_TYPE_REJ */
{
err = avdt_msg_prs_rej(&msg, p, sig);
evt = avdt_msg_rej_2_evt[sig - ];
}
...
if (ok)
{
/* if it's a ccb event send to ccb */
if (evt & AVDT_CCB_MKR)
{
avdt_ccb_event(p_ccb, (UINT8)(evt & ~AVDT_CCB_MKR), (tAVDT_CCB_EVT *) &msg);//进入到avdt_ccb进行处理,这里处理的event:(AVDT_CCB_MSG_DISCOVER_RSP_EVT + AVDT_CCB_MKR)+(AVDT_CCB_MSG_GETCAP_RSP_EVT + AVDT_CCB_MKR),也就是avdtp signal的前两个流程
}
/* if it's a scb event */
else
{
/* Scb events always have a single seid. For cmd, get seid from
** message. For rej and rsp, get seid from p_curr_cmd.
*/
if (msg_type == AVDT_MSG_TYPE_CMD)
{
scb_hdl = msg.single.seid;
}
else
{
scb_hdl = *((UINT8 *)(p_ccb->p_curr_cmd + ));
} /* Map seid to the scb and send it the event. For cmd, seid has
** already been verified by parsing function.
*/
if (evt && (p_scb = avdt_scb_by_hdl(scb_hdl)) != NULL)
{
avdt_scb_event(p_scb, evt, (tAVDT_SCB_EVT *) &msg);//AVDT_SCB_MSG_SETCONFIG_RSP_EVT 应该是scb的event
}
}
} /* free message buffer */
GKI_freebuf(p_buf); /* if its a rsp or rej, send event to ccb to free associated
** cmd msg buffer and handle cmd queue
*/
if (handle_rsp)
{
avdt_ccb_event(p_ccb, AVDT_CCB_RCVRSP_EVT, NULL);//最后发送AVDT_CCB_RCVRSP_EVT到ccb
}

我们分别看avdt_scb_event(p_scb,AVDT_SCB_MSG_SETCONFIG_RSP_EVT , (tAVDT_SCB_EVT *) &msg)和avdt_ccb_event(p_ccb, AVDT_CCB_RCVRSP_EVT, NULL);,后者没有做影响流程的操作,执行的action是AVDT_CCB_FREE_CMD和AVDT_CCB_SND_CMD,这里不详细分析了.

- ::14.215 I/bt_avp  ( ): SCB hdl= event=/MSG_SETCONFIG_RSP_EVT state=SCB_IDLE_ST
- ::14.215 I/bt_avp ( ): SCB hdl= event=/API_OPEN_REQ_EVT state=SCB_CONF_ST
- ::14.216 I/bt_avp ( ): CCB ccb= event=SENDMSG_EVT state=CCB_OPEN_ST
- ::14.216 I/bt_avp ( ): CCB ccb= event=RCVRSP_EVT state=CCB_OPEN_ST

上面是次流程打印的log:

/* MSG_SETCONFIG_RSP_EVT */ {AVDT_SCB_HDL_SETCONFIG_RSP,    AVDT_SCB_IGNORE,            AVDT_SCB_CONF_ST},

scb的下一个状态是AVDT_SCB_CONF_ST

执行的action 是AVDT_SCB_HDL_SETCONFIG_RSP,我们看看 该函数做了什么?按照预期应该会去保存config的结果以及 执行 scb open的操作:

/*******************************************************************************
**
** Function avdt_scb_hdl_setconfig_rsp
**
** Description This function sends the SCB an AVDT_SCB_API_OPEN_REQ_EVT
** to initiate sending of an open command message.
**
** Returns Nothing.
**
*******************************************************************************/
void avdt_scb_hdl_setconfig_rsp(tAVDT_SCB *p_scb, tAVDT_SCB_EVT *p_data)
{
tAVDT_EVT_HDR single;
UNUSED(p_data); if (p_scb->p_ccb != NULL)
{
/* save configuration */
memcpy(&p_scb->curr_cfg, &p_scb->req_cfg, sizeof(tAVDT_CFG)); /* initiate open */
single.seid = p_scb->peer_seid;
avdt_scb_event(p_scb, AVDT_SCB_API_OPEN_REQ_EVT, (tAVDT_SCB_EVT *) &single);//open
}
}

符合我们的预期,下一步进入到 对于scb 的open 的操作中:

我们继续看:

/* API_OPEN_REQ_EVT */      {AVDT_SCB_SND_OPEN_REQ,         AVDT_SCB_IGNORE,            AVDT_SCB_CONF_ST},

scb的下一个状态 依然是AVDT_SCB_CONF_ST,执行的action 是AVDT_SCB_SND_OPEN_REQ,:

/*******************************************************************************
**
** Function avdt_scb_snd_open_req
**
** Description This function sends an open command message.
**
** Returns Nothing.
**
*******************************************************************************/
void avdt_scb_snd_open_req(tAVDT_SCB *p_scb, tAVDT_SCB_EVT *p_data)
{
tAVDT_EVT_HDR hdr;
UNUSED(p_data); hdr.seid = p_scb->peer_seid; avdt_msg_send_cmd(p_scb->p_ccb, p_scb, AVDT_SIG_OPEN, (tAVDT_MSG *) &hdr);//向对方发出AVDT_SIG_OPEN
}

开始 向对端发送 scb open的请求,我们现在分析一下,对方的response:

此时对方传过来的event是AVDT_SCB_MSG_OPEN_RSP_EVT,

/*******************************************************************************
**
** Function avdt_msg_ind
**
** Description This function is called by the adaption layer when an
** incoming message is received on the signaling channel.
** It parses the message and sends an event to the appropriate
** SCB or CCB for the message.
**
**
** Returns Nothing.
**
*******************************************************************************/
void avdt_msg_ind(tAVDT_CCB *p_ccb, BT_HDR *p_buf)
{
...
if (ok)
{
/* if it's a ccb event send to ccb */
if (evt & AVDT_CCB_MKR)
{
avdt_ccb_event(p_ccb, (UINT8)(evt & ~AVDT_CCB_MKR), (tAVDT_CCB_EVT *) &msg);
}
/* if it's a scb event */
else
{
/* Scb events always have a single seid. For cmd, get seid from
** message. For rej and rsp, get seid from p_curr_cmd.
*/
if (msg_type == AVDT_MSG_TYPE_CMD)
{
scb_hdl = msg.single.seid;
}
else
{
scb_hdl = *((UINT8 *)(p_ccb->p_curr_cmd + ));
} /* Map seid to the scb and send it the event. For cmd, seid has
** already been verified by parsing function.
*/
if (evt && (p_scb = avdt_scb_by_hdl(scb_hdl)) != NULL)
{
avdt_scb_event(p_scb, evt, (tAVDT_SCB_EVT *) &msg);//AVDT_SCB_MSG_OPEN_RSP_EVT
}
}
} /* free message buffer */
GKI_freebuf(p_buf); /* if its a rsp or rej, send event to ccb to free associated
** cmd msg buffer and handle cmd queue
*/
if (handle_rsp)
{
avdt_ccb_event(p_ccb, AVDT_CCB_RCVRSP_EVT, NULL);
}

上面的重点 就是avdt_scb_event(p_scb,AVDT_SCB_MSG_OPEN_RSP_EVT, (tAVDT_SCB_EVT *) &msg);

/* MSG_OPEN_RSP_EVT */      {AVDT_SCB_HDL_OPEN_RSP,         AVDT_SCB_IGNORE,            AVDT_SCB_OPENING_ST},

现在发现,scb的下一个状态发生了变化,AVDT_SCB_OPENING_ST,而执行的动作也是处理这个resp:AVDT_SCB_HDL_OPEN_RSP:

/*******************************************************************************
**
** Function avdt_scb_hdl_open_rsp
**
** Description This function calls avdt_ad_open_req() to initiate
** connection of the transport channel for this stream.
**
** Returns Nothing.
**
*******************************************************************************/
void avdt_scb_hdl_open_rsp(tAVDT_SCB *p_scb, tAVDT_SCB_EVT *p_data)
{
UNUSED(p_data); /* initiate opening of trans channels for this SEID */
p_scb->role = AVDT_OPEN_INT;
avdt_ad_open_req(AVDT_CHAN_MEDIA, p_scb->p_ccb, p_scb, AVDT_INT); //这里开启media channel /* start tc connect timer */
btu_start_timer(&p_scb->timer_entry, BTU_TTYPE_AVDT_SCB_TC, AVDT_SCB_TC_CONN_TOUT);
}

我们发现 开始 media channel的相关的工作,继续看:

/*******************************************************************************
**
** Function avdt_ad_open_req
**
** Description This function is called by a CCB or SCB to open a transport
** channel. This function allocates and initializes a
** transport channel table entry. The channel can be opened
** in two roles: as an initiator or acceptor. When opened
** as an initiator the function will start an L2CAP connection.
** When opened as an acceptor the function simply configures
** the table entry to listen for an incoming channel.
**
**
** Returns Nothing.
**
*******************************************************************************/
void avdt_ad_open_req(UINT8 type, tAVDT_CCB *p_ccb, tAVDT_SCB *p_scb, UINT8 role)
{
tAVDT_TC_TBL *p_tbl;
UINT16 lcid; if((p_tbl = avdt_ad_tc_tbl_alloc(p_ccb)) == NULL)
{
AVDT_TRACE_ERROR("avdt_ad_open_req: Cannot allocate p_tbl");
return;
} p_tbl->tcid = avdt_ad_type_to_tcid(type, p_scb);
AVDT_TRACE_DEBUG("avdt_ad_open_req: type: %d, role: %d, tcid:%d",
type, role, p_tbl->tcid); if (type == AVDT_CHAN_SIG)
{
/* if signaling, get mtu from registration control block */
p_tbl->my_mtu = avdt_cb.rcb.ctrl_mtu;
p_tbl->my_flush_to = L2CAP_DEFAULT_FLUSH_TO;
}
else //当前是media channel
{
/* otherwise get mtu from scb */
p_tbl->my_mtu = p_scb->cs.mtu;
p_tbl->my_flush_to = p_scb->cs.flush_to; /* also set scb_hdl in rt_tbl */
avdt_cb.ad.rt_tbl[avdt_ccb_to_idx(p_ccb)][p_tbl->tcid].scb_hdl = avdt_scb_to_hdl(p_scb);
AVDT_TRACE_DEBUG("avdt_cb.ad.rt_tbl[%d][%d].scb_hdl = %d",
avdt_ccb_to_idx(p_ccb), p_tbl->tcid,
avdt_scb_to_hdl(p_scb));
} /* if we're acceptor, we're done; just sit back and listen */
if (role == AVDT_ACP)
{
p_tbl->state = AVDT_AD_ST_ACP;
}
/* else we're inititator, start the L2CAP connection */
else //we are inititator
{
p_tbl->state = AVDT_AD_ST_CONN; /* call l2cap connect req */
if ((lcid = L2CA_ConnectReq(AVDT_PSM, p_ccb->peer_addr)) != )//建立l2cap 连接
{
/* if connect req ok, store tcid in lcid table */
avdt_cb.ad.lcid_tbl[lcid - L2CAP_BASE_APPL_CID] = avdt_ad_tc_tbl_to_idx(p_tbl);
AVDT_TRACE_DEBUG("avdt_cb.ad.lcid_tbl[%d] = %d",
(lcid - L2CAP_BASE_APPL_CID), avdt_ad_tc_tbl_to_idx(p_tbl)); avdt_cb.ad.rt_tbl[avdt_ccb_to_idx(p_ccb)][p_tbl->tcid].lcid = lcid;
AVDT_TRACE_DEBUG("avdt_cb.ad.rt_tbl[%d][%d].lcid = 0x%x",
avdt_ccb_to_idx(p_ccb), p_tbl->tcid,
lcid);
}
else
{
/* if connect req failed, call avdt_ad_tc_close_ind() */
avdt_ad_tc_close_ind(p_tbl, );
}
}
}

avdtp signaling 的流程走完了,最后是建立media channel.建立l2cap的通道.

在hci log中,也能找到该流程的痕迹:

A2dp连接流程源码分析

到这里,avdtp的流程似乎已经讲完了,因为基本的流程都已经走完了,但是这里要注意一下,我们上面的scb 状态机的状态还是opening 的状态,BTA层的Stream state machine也是处于opening 的状态,而btif_AV的状态机也还处于opening状态.那什么时候会变成open 状态,我们需要继续分析:

上面 建立l2cap的media channel之后(其实也就是stream channel)之后.会进行config,config的response 的处理函数是:avdt_l2c_config_cfm_cback:

/*******************************************************************************
**
** Function avdt_l2c_config_cfm_cback
**
** Description This is the L2CAP config confirm callback function.
**
**
** Returns void
**
*******************************************************************************/
void avdt_l2c_config_cfm_cback(UINT16 lcid, tL2CAP_CFG_INFO *p_cfg)
{
tAVDT_TC_TBL *p_tbl; /* look up info for this channel */
if ((p_tbl = avdt_ad_tc_tbl_by_lcid(lcid)) != NULL)
{
p_tbl->lcid = lcid; /* if in correct state */
if (p_tbl->state == AVDT_AD_ST_CFG)
{
/* if result successful */
if (p_cfg->result == L2CAP_CONN_OK)
{
/* update cfg_flags */
p_tbl->cfg_flags |= AVDT_L2C_CFG_CFM_DONE; /* if configuration complete */
if (p_tbl->cfg_flags & AVDT_L2C_CFG_IND_DONE)
{
avdt_ad_tc_open_ind(p_tbl);//上报event
}
}
/* else failure */
else
{
/* Send L2CAP disconnect req */
L2CA_DisconnectReq(lcid);
}
}
}
}

我们继续看avdt_ad_tc_open_ind的流程:,这个函数之前已经提到过,里面有signal 信道和数据通道的不同处理 ,当前的新建的l2cap channel是media channel

/*******************************************************************************
**
** Function avdt_ad_tc_open_ind
**
** Description This function is called by the L2CAP interface when
** the L2CAP channel is opened. It looks up the CCB or SCB
** for the channel and sends it an open event.
**
**
** Returns Nothing.
**
*******************************************************************************/
void avdt_ad_tc_open_ind(tAVDT_TC_TBL *p_tbl)
{
tAVDT_CCB *p_ccb;
tAVDT_SCB *p_scb;
tAVDT_OPEN open;
tAVDT_EVT_HDR evt; p_tbl->state = AVDT_AD_ST_OPEN; /* if signaling channel, notify ccb that channel open */
if (p_tbl->tcid == )
{
/* set the signal channel to use high priority within the ACL link */
L2CA_SetTxPriority(avdt_cb.ad.rt_tbl[p_tbl->ccb_idx][AVDT_CHAN_SIG].lcid, L2CAP_CHNL_PRIORITY_HIGH); p_ccb = avdt_ccb_by_idx(p_tbl->ccb_idx);
/* use err_param to indicate the role of connection.
* AVDT_ACP, if ACP */
evt.err_param = AVDT_INT;
if(p_tbl->cfg_flags & AVDT_L2C_CFG_CONN_ACP)
{
evt.err_param = AVDT_ACP;
}
avdt_ccb_event(p_ccb, AVDT_CCB_LL_OPEN_EVT, (tAVDT_CCB_EVT *)&evt);//signal 走的是avdt_ccb_event
}
/* if media or other channel, notify scb that channel open */
else
{
/* look up scb in stream routing table by ccb, tcid */
p_scb = avdt_scb_by_hdl(avdt_cb.ad.rt_tbl[p_tbl->ccb_idx][p_tbl->tcid].scb_hdl); /* put lcid in event data */
if (p_scb != NULL)
{
open.peer_mtu = p_tbl->peer_mtu;
open.lcid = avdt_cb.ad.rt_tbl[p_tbl->ccb_idx][p_tbl->tcid].lcid;
open.hdr.err_code = avdt_ad_tcid_to_type(p_tbl->tcid);
avdt_scb_event(p_scb, AVDT_SCB_TC_OPEN_EVT, (tAVDT_SCB_EVT *) &open);//media 走的是avdt_scb_event
}
}
}

我们发现 去最终执行了avdt_scb_event(p_scb, AVDT_SCB_TC_OPEN_EVT, (tAVDT_SCB_EVT *) &open);当前的scb 的状态是opening,我们看看 会发生什么?

/* TC_OPEN_EVT */           {AVDT_SCB_HDL_TC_OPEN,          AVDT_SCB_IGNORE,            AVDT_SCB_OPEN_ST},

我们发现,到此,scb的状态变成了AVDT_SCB_OPEN_ST,我们解开了第一个谜团,下面还有两个,我们继续看看.可以猜想一下, 肯定是将open的信息一层一层往上传,然后逐个变成open状态的.我们继续看.

scb 变成open状态之后,还要 执行action是AVDT_SCB_HDL_TC_OPEN:

/*******************************************************************************
**
** Function avdt_scb_hdl_tc_open
**
** Description This function is called when the transport channel is
** opened while in the opening state. It calls the
** application callback with an open indication or open
** confirm depending on who initiated the open procedure.
**
** Returns Nothing.
**
*******************************************************************************/
void avdt_scb_hdl_tc_open(tAVDT_SCB *p_scb, tAVDT_SCB_EVT *p_data)
{
UINT8 event;
#if AVDT_REPORTING == TRUE
UINT8 role;
#endif /* stop transport channel connect timer */
btu_stop_timer(&p_scb->timer_entry); event = (p_scb->role == AVDT_OPEN_INT) ? AVDT_OPEN_CFM_EVT : AVDT_OPEN_IND_EVT;//AVDT_OPEN_CFM_EVT
p_data->open.hdr.err_code = ;
...
/* call app callback */
(*p_scb->cs.p_ctrl_cback)(avdt_scb_to_hdl(p_scb),
p_scb->p_ccb ? p_scb->p_ccb->peer_addr : NULL,
event,
(tAVDT_CTRL *) &p_data->open);//bta_av_stream0_cback:AVDT_OPEN_CFM_EVT
}

上面函数的 注释写的非常的清楚,就是上班open event.上面的回调函数就是 bta_av_stream0_cback,我们继续看看回调函数如何处理的:

static void bta_av_stream0_cback(UINT8 handle, BD_ADDR bd_addr, UINT8 event, tAVDT_CTRL *p_data)
{
bta_av_proc_stream_evt(handle, bd_addr, event, p_data, );
}
/*******************************************************************************
**
** Function bta_av_proc_stream_evt
**
** Description Utility function to compose stream events.
**
** Returns void
**
*******************************************************************************/
static void bta_av_proc_stream_evt(UINT8 handle, BD_ADDR bd_addr, UINT8 event, tAVDT_CTRL *p_data, int index)
{
...
/* look up application event */
if ((p_data == NULL) || (p_data->hdr.err_code == ))
{
p_msg->hdr.event = bta_av_stream_evt_ok[event];//AVDT_OPEN_CFM_EVT-->BTA_AV_STR_OPEN_OK_EVT
}
else
{
p_msg->hdr.event = bta_av_stream_evt_fail[event];
} p_msg->initiator = FALSE;
if (event == AVDT_SUSPEND_CFM_EVT)
p_msg->initiator = TRUE; APPL_TRACE_VERBOSE("hndl:x%x event = 0x%x", p_scb->hndl,event);
p_msg->hdr.layer_specific = p_scb->hndl;
p_msg->handle = handle;
p_msg->avdt_event = event;
bta_sys_sendmsg(p_msg);
}
...

我们可以看到.这个回调就是将底层传过来的event转换成BTA层的event,这里被转换成(AVDT_OPEN_CFM_EVT--->BTA_AV_STR_OPEN_OK_EVT)  ,然后  通过bta_sys_sendmsg发送到btu task,而处理这些event 的状态机 正是我们前面提到的BTA ssm ,我们继续看:

通过a2dp 初始化的章节分析,我们知道该event 是由bta_av_ssm_execute  来处理的,此刻的bta ssm 也是处于opening 状态,

/* STR_OPEN_OK_EVT */       {BTA_AV_ST_RC_TIMER,    BTA_AV_STR_OPENED,     BTA_AV_OPEN_SST },

这里发现.bta ssm 的状态也变成了BTA_AV_OPEN_SST状态,那么我们的第二个谜团解开,继续看.接下来 他要执行的两个action是BTA_AV_ST_RC_TIMER  BTA_AV_STR_OPENED,从名字上面看看,第二个action应该做了一些上报的事情.

这边追了一下代码发现,前者是做了AVRCP的相关的操作,这里暂时不分析.我们看看BTA_AV_STR_OPENED 做的事情:

/*******************************************************************************
**
** Function bta_av_str_opened
**
** Description Stream opened OK (incoming/outgoing).
**
** Returns void
**
*******************************************************************************/
void bta_av_str_opened (tBTA_AV_SCB *p_scb, tBTA_AV_DATA *p_data)
{
...
{
/* TODO check if other audio channel is open.
* If yes, check if reconfig is needed
* Rigt now we do not do this kind of checking.
* BTA-AV is INT for 2nd audio connection.
* The application needs to make sure the current codec_info is proper.
* If one audio connection is open and another SNK attempts to connect to AV,
* the connection will be rejected.
*/
/* check if other audio channel is started. If yes, start */
bdcpy(open.bd_addr, p_scb->peer_addr);
open.chnl = p_scb->chnl;
open.hndl = p_scb->hndl;
open.status = BTA_AV_SUCCESS;
open.starting = bta_av_chk_start(p_scb);
open.edr = ;
if( NULL != (p = BTM_ReadRemoteFeatures(p_scb->peer_addr)))
{
if(HCI_EDR_ACL_2MPS_SUPPORTED(p))
open.edr |= BTA_AV_EDR_2MBPS;
if(HCI_EDR_ACL_3MPS_SUPPORTED(p))
open.edr |= BTA_AV_EDR_3MBPS; }
#if( defined BTA_AR_INCLUDED ) && (BTA_AR_INCLUDED == TRUE)
bta_ar_avdt_conn(BTA_ID_AV, open.bd_addr);
#endif
if (p_scb->seps[p_scb->sep_idx].tsep == AVDT_TSEP_SRC )
open.sep = AVDT_TSEP_SNK;
else if (p_scb->seps[p_scb->sep_idx].tsep == AVDT_TSEP_SNK )
open.sep = AVDT_TSEP_SRC; (*bta_av_cb.p_cback)(BTA_AV_OPEN_EVT, (tBTA_AV *) &open);//继续向上回调
...
}
...

那上面的回调是在哪里注册的呢?是在bta_av_api_enable的时候,也就是从btif 层进行av enable的时候 传下来的.就是bte_av_callback,

static void bte_av_callback(tBTA_AV_EVT event, tBTA_AV *p_data)
{
btif_transfer_context(btif_av_handle_event, event,
(char*)p_data, sizeof(tBTA_AV), btif_av_event_deep_copy);
}

发现回调还是回到btif 层,

static void btif_av_handle_event(UINT16 event, char* p_param)
{
btif_sm_dispatch(btif_av_cb.sm_handle, event, (void*)p_param);
btif_av_event_free_data(event, p_param);
}

到这里,我们见到了 我们一直关心的btif层面的AV 状态机:,event = BTA_AV_OPEN_EVT

/*****************************************************************************
**
** Function btif_sm_dispatch
**
** Description Dispatches the 'event' along with 'data' to the current state handler
**
** Returns BT_STATUS_SUCCESS on success
** BT_STATUS_UNHANDLED if event was not processed
** BT_STATUS_FAIL otherwise
**
******************************************************************************/
bt_status_t btif_sm_dispatch(btif_sm_handle_t handle, btif_sm_event_t event,
void *data)
{
bt_status_t status = BT_STATUS_SUCCESS; btif_sm_cb_t *p_cb = (btif_sm_cb_t*)handle; if (p_cb == NULL)
{
BTIF_TRACE_ERROR("%s : Invalid handle", __FUNCTION__);
return BT_STATUS_FAIL;
} if (p_cb->p_handlers[p_cb->state](event, data) == FALSE)//进入当前的状态handler进行处理,当前是opening
return BT_STATUS_UNHANDLED; return status;
}

也就是btif_av_state_opening_handler ,我们继续看:

/*****************************************************************************
**
** Function btif_av_state_opening_handler
**
** Description Intermediate state managing events during establishment
** of avdtp channel
**
** Returns TRUE if event was processed, FALSE otherwise
**
*******************************************************************************/ static BOOLEAN btif_av_state_opening_handler(btif_sm_event_t event, void *p_data)
{
BTIF_TRACE_DEBUG("%s event:%s flags %x", __FUNCTION__,
dump_av_sm_event_name(event), btif_av_cb.flags); switch (event)
{
...
case BTA_AV_OPEN_EVT:
{
tBTA_AV *p_bta_data = (tBTA_AV*)p_data;
btav_connection_state_t state;
btif_sm_state_t av_state; if (p_bta_data->open.status == BTA_AV_SUCCESS)
{
state = BTAV_CONNECTION_STATE_CONNECTED;
av_state = BTIF_AV_STATE_OPENED;//设置状态
btif_av_cb.edr = p_bta_data->open.edr; btif_av_cb.peer_sep = p_bta_data->open.sep;
btif_a2dp_set_peer_sep(p_bta_data->open.sep);
}
else
{
...
} /* inform the application of the event */
btif_report_connection_state(state, &(btif_av_cb.peer_bda));//通知上层:HAL_CBACK(bt_av_src_callbacks, connection_state_cb, state, bd_addr);
/* change state to open/idle based on the status */
btif_sm_change_state(btif_av_cb.sm_handle, av_state);//这里就是状态机改变状态的地方
if (btif_av_cb.peer_sep == AVDT_TSEP_SNK)
{
/* if queued PLAY command, send it now */
btif_rc_check_handle_pending_play(p_bta_data->open.bd_addr,
(p_bta_data->open.status == BTA_AV_SUCCESS));
}
else if (btif_av_cb.peer_sep == AVDT_TSEP_SRC)
{
...
}
btif_queue_advance();
}
...

我们分析一下btif_sm_change_state:

/*****************************************************************************
**
** Function btif_sm_change_state
**
** Description Make a transition to the new 'state'. The 'BTIF_SM_EXIT_EVT'
** shall be invoked before exiting the current state. The
** 'BTIF_SM_ENTER_EVT' shall be invoked before entering the new state
**
** Returns BT_STATUS_SUCCESS on success
** BT_STATUS_UNHANDLED if event was not processed
** BT_STATUS_FAIL otherwise
**
******************************************************************************/
bt_status_t btif_sm_change_state(btif_sm_handle_t handle, btif_sm_state_t state)
{
bt_status_t status = BT_STATUS_SUCCESS;
btif_sm_cb_t *p_cb = (btif_sm_cb_t*)handle; if (p_cb == NULL)
{
BTIF_TRACE_ERROR("%s : Invalid handle", __FUNCTION__);
return BT_STATUS_FAIL;
} /* Send exit event to the current state */
if (p_cb->p_handlers[p_cb->state](BTIF_SM_EXIT_EVT, NULL) == FALSE)//先退出原先的状态
status = BT_STATUS_UNHANDLED; /* Change to the new state */
p_cb->state = state; /* Send enter event to the new state */
if (p_cb->p_handlers[p_cb->state](BTIF_SM_ENTER_EVT, NULL) == FALSE)//进入到新的状态
status = BT_STATUS_UNHANDLED; return status;
}

新的状态就是BTIF_AV_STATE_OPENED  那到这里, 所有涉及到的状态机都已经是open 状态了.

这里补充一张a2dp 各级状态机的轮转图:
A2dp连接流程源码分析

那么关于a2dp profile的连接的流程就分析到这里了.