面試官:你知道Android系統啟動流程嗎?

如果你自認為是一個Android高級工程師,或者正在通往高級工程師路上,那么Android系統啟動流程你是必須要了解的,這篇文章將手把手帶你閱讀Android系統源碼,了解Android系統啟動流程。

沒有源碼?沒關系,可以在線看嘛!


這篇文章主要涉及以下內容:
1. Zygote進程啟動
2. SystemServer 進程啟動
3. Launcher啟動

參考8.0源碼 https://www.androidos.net.cn/android/8.0.0_r4/xref/

我們開始吧~

一、Zygote 進程啟動流程

首先,Zygote 進程是由init進程拉起的,
簡單說下init進程init進程是手機開機的第一個進程,
對 init進程 有興趣的可以參考
http://www.lxweimin.com/p/1d3e722871e8
init進程做的事:

  1. 創建文件并掛載
  2. 初始化和啟動屬性服務
  3. 解析init.rc配置文件并啟動zygote進程

init進程啟動之后會去解析init.rc配置文件,配置文件定義了要啟動的服務,Zygote就是要啟動的服務之一,除此之外還有ServerManager進程等,Zygote啟動腳本可以看init.zygote32.rc,64位也是差不多的。

/system/core/rootdir/init.zygote32.rc

service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
    class main
    priority -20
    user root
    group root readproc
    socket zygote stream 660 root system
    onrestart write /sys/android_power/request_state wake
    onrestart write /sys/power/state on
    onrestart restart audioserver
    onrestart restart cameraserver
    onrestart restart media
    onrestart restart netd
    onrestart restart wificond
    writepid /dev/cpuset/foreground/tasks
  1. 第一行,創建一個名叫 zygote 的進程,這個進程的可執行程序路徑是 /system/bin/app_process,-Xzygote /system/bin --zygote --start-system-server是要傳入到app_process程序中的參數。

  2. socket zygote stream 660 root system,這一句是啟動一個名叫zygote的socket,ActivityManagerService進程和Zygote進程通信就是通過這個socket,主要作用是AMS請求Zygote進程fork出一個新的應用程序進程,后面分析應用啟動流程會詳細介紹。

擴展一下,xposed的原理就是通過替換了app_process,實現對Zygote進程的控制。

1.1 Zygote進程啟動之后做了什么事?

Zygote的可執行程序路徑在/system/bin/app_process
root手機之后可以通過RE管理器查看,
對應代碼在
/frameworks/base/cmds/app_process/app_main.cpp

int main(int argc, char* const argv[])
{
    AppRuntime runtime(argv[0], computeArgBlockSize(argc, argv));
...
  
    if (zygote) {
        //這里會去調用ZygoteInit 的main方法
        runtime.start("com.android.internal.os.ZygoteInit", args, zygote);
    } else if (className) {
        runtime.start("com.android.internal.os.RuntimeInit", args, zygote);
    } else {
        fprintf(stderr, "Error: no class name or --zygote supplied.\n");
        app_usage();
        LOG_ALWAYS_FATAL("app_process: no class name or --zygote supplied.");
    }
}

runtime指的就是AppRuntime,AppRuntime繼承自AndroidRuntime,

class AppRuntime : public AndroidRuntime
{...

也就是我們調用start函數其實是調用AndroidRuntime的start函數:
先看AndroidRuntime,源碼在/frameworks/base/core/jni/AndroidRuntime.cpp

1.2 AndroidRuntime

void AndroidRuntime::start(const char* className, const Vector<String8>& options, bool zygote)
{

    /* start the virtual machine */
    JniInvocation jni_invocation;
    jni_invocation.Init(NULL);
    JNIEnv* env;
//1
    if (startVm(&mJavaVM, &env, zygote) != 0) {
        return;
    }
    onVmCreated(env);
//2
    /*
     * Register android functions.
     */
    if (startReg(env) < 0) {
        ALOGE("Unable to register all android natives\n");
        return;
    }

...
//3 這里的startClass 是 com.android.internal.os.ZygoteInit
       jmethodID startMeth = env->GetStaticMethodID(startClass, "main",
            "([Ljava/lang/String;)V");
        if (startMeth == NULL) {
            ALOGE("JavaVM unable to find main() in '%s'\n", className);
            /* keep going */
        } else {
            env->CallStaticVoidMethod(startClass, startMeth, strArray);

}


start主要做三件事:
1. 調用startVm(), 啟動Java虛擬機
2. 調用startReg() ,注冊JNI函數
3. 調用 env->CallStaticVoidMethod(startClass, startMeth, strArray);通過JNI調用Java的 ZygoteInit 類的main方法。

看下 ZygoteInit.java 的main方法

1.3 ZygoteInit#mian

/frameworks/base/core/java/com/android/internal/os/ZygoteInit.java

public static void main(String argv[]) {
        ZygoteServer zygoteServer = new ZygoteServer();

        ...
//1.創建socket
            zygoteServer.registerServerSocket(socketName);
            // In some configurations, we avoid preloading resources and classes eagerly.
            // In such cases, we will preload things prior to our first fork.
            if (!enableLazyPreload) {
// 2.預加載資源
                preload(bootTimingsTraceLog);
            } else {
                Zygote.resetNicePriority();
            }

            // Do an initial gc to clean up after startup
            gcAndFinalize();

            // Zygote process unmounts root storage spaces.
            Zygote.nativeUnmountStorageOnInit();
//3. startSystemServer
            if (startSystemServer) {
                startSystemServer(abiList, socketName, zygoteServer);
            }

            Log.i(TAG, "Accepting command socket connections");
//4、啟動loop循環
            zygoteServer.runSelectLoop(abiList);

            zygoteServer.closeServerSocket();
        }
    }

主要關注以下幾點:
1. 創建服務端socket。(socket需要客戶端和服務端,這個可以理解)
2. preload 預加載資源(常用的類、主題資源、共享庫等)
3. startSystemServer 啟動系統服務,重點
4. zygoteServer.runSelectLoop(abiList);
開啟無限循環等待AMS發送通知去fork一個新的應用進程

第1、2點很好理解,
第3點的 startSystemServer 先看一下

1.3.1 startSystemServer
    private static boolean startSystemServer(String abiList, String socketName, ZygoteServer zygoteServer)
            throws Zygote.MethodAndArgsCaller, RuntimeException {
int pid;
        String args[] = {
            "--setuid=1000",
            "--setgid=1000",
            "--setgroups=1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1018,1021,1023,1032,3001,3002,3003,3006,3007,3009,3010",
            "--capabilities=" + capabilities + "," + capabilities,
            "--nice-name=system_server",
            "--runtime-args",
            "com.android.server.SystemServer",  // 注意這里類名,
        };
        ZygoteConnection.Arguments parsedArgs = null;
        try {
            parsedArgs = new ZygoteConnection.Arguments(args);
            ZygoteConnection.applyDebuggerSystemProperty(parsedArgs);
            ZygoteConnection.applyInvokeWithSystemProperty(parsedArgs);
//1 fork進程
            /* Request to fork the system server process */
            pid = Zygote.forkSystemServer(
                    parsedArgs.uid, parsedArgs.gid,
                    parsedArgs.gids,
                    parsedArgs.debugFlags,
                    null,
                    parsedArgs.permittedCapabilities,
                    parsedArgs.effectiveCapabilities);
        } catch (IllegalArgumentException ex) {
            throw new RuntimeException(ex);
        }

        /* For child process */
        if (pid == 0) {
            if (hasSecondZygote(abiList)) {
                waitForSecondaryZygote(socketName);
            }
//2. socket也復制過來了,先關掉
            zygoteServer.closeServerSocket();
            handleSystemServerProcess(parsedArgs);
        }

}

通過Zygote.forkSystemServer 創建了 SystemServer
這也就驗證了 SystemServer 是由 Zygote 負責啟動的。

fork一個子進程,pid返回0,最后一句調用 handleSystemServerProcess

1.3.2 handleSystemServerProcess
private static void handleSystemServerProcess(ZygoteConnection.Arguments parsedArgs)
throws Zygote.MethodAndArgsCaller {

   ...
        if (parsedArgs.invokeWith != null) {
            ...
        } else {
            ClassLoader cl = null;
            if (systemServerClasspath != null) {
                cl = createPathClassLoader(systemServerClasspath, parsedArgs.targetSdkVersion);

                Thread.currentThread().setContextClassLoader(cl);
            }

//1.重點
            /*
             * Pass the remaining arguments to SystemServer.
             */
            ZygoteInit.zygoteInit(parsedArgs.targetSdkVersion, parsedArgs.remainingArgs, cl);
        }

        /* should never reach here */
    }

最關鍵的就是最后一句ZygoteInit.zygoteInit(parsedArgs.targetSdkVersion, parsedArgs.remainingArgs, cl)

1.3.3 ZygoteInit.zygoteInit
    public static final void zygoteInit(int targetSdkVersion, String[] argv,
            ClassLoader classLoader) throws Zygote.MethodAndArgsCaller {
        if (RuntimeInit.DEBUG) {
            Slog.d(RuntimeInit.TAG, "RuntimeInit: Starting application from zygote");
        }

        Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "ZygoteInit");
        //將 System.out 和 System.err 定向到Android日志中
        RuntimeInit.redirectLogStreams();

        RuntimeInit.commonInit();
        ZygoteInit.nativeZygoteInit();
        RuntimeInit.applicationInit(targetSdkVersion, argv, classLoader);
    }
  1. 將 System.out 和 System.err 定向到Android日志中
  2. 調用 commonInit(),進行基本的初始化
  3. 調用nativeZygoteInit(),這個native方法去初始化一個Binder用來做進程間通信,下面會分析
  4. 在 RuntimeInit.applicationInit(targetSdkVersion, argv, classLoader);中調用 invokeStaticMain(args.startClass, args.startArgs, classLoader);這個方法會調用SystemServer這個類的main方法

重點看3和4

下面我們先看看nativeZygoteInit()方法中做了什么

1.3.4 ZygoteInit #nativeZygoteInit

它對應的實現在
/frameworks/base/core/jni/AndroidRuntime.cpp

static AndroidRuntime* gCurRuntime = NULL;

static void com_android_internal_os_ZygoteInit_nativeZygoteInit(JNIEnv* env, jobject clazz)
{
    gCurRuntime->onZygoteInit();
}

gCurRuntime其實就是AndroidRuntime本身,然后再去找onZygoteInit()方法,但是我們在AndroidRuntime.cpp文件中沒有找到,最后發現AndroidRuntime的子類AppRuntime實現了onZygoteInit()方法。

AppRuntime繼承了AndroidRuntime,所以定位到AppRuntime中,源碼在/frameworks/base/cmds/app_process/app_main.cpp

    virtual void onZygoteInit()
    {
        sp<ProcessState> proc = ProcessState::self();
        ALOGV("App process: starting thread pool.\n");
        proc->startThreadPool();
    }

調用了ProcessState的startThreadPool()方法,ProcessState類位于
/frameworks/native/libs/binder/ProcessState.cpp

void ProcessState::startThreadPool()
{
    AutoMutex _l(mLock);
    if (!mThreadPoolStarted) {
        mThreadPoolStarted = true;
        spawnPooledThread(true);
    }
}

這個方法主要是啟動一個線程池,該線程池中的線程主要是負責和binder驅動程序進行交互的,ProcessState是Binder進程間通信的一個基礎組件,這里我們就不深究了,我們只需要知道nativeZygoteInit()方法初始化了一個線程池用于Binder進程之間的通信,這個方法執行完后,Binder進程間通信基礎就準備好了

回到1.3.3 的第四點繼續看,RuntimeInit.applicationInit(...)

1.3.5 RuntimeInit.applicationInit

/frameworks/base/core/java/com/android/internal/os/RuntimeInit.java

    protected static void applicationInit(int targetSdkVersion, String[] argv, ClassLoader classLoader)
            throws Zygote.MethodAndArgsCaller {
        VMRuntime.getRuntime().setTargetHeapUtilization(0.75f);
        VMRuntime.getRuntime().setTargetSdkVersion(targetSdkVersion);
...
        invokeStaticMain(args.startClass, args.startArgs, classLoader);
    }

    private static void invokeStaticMain(String className, String[] argv, ClassLoader classLoader)
            throws Zygote.MethodAndArgsCaller {
        Class<?> cl;
        try {
            cl = Class.forName(className, true, classLoader);
        } 
        Method m;
        try {
            //1 調用main 方法
            m = cl.getMethod("main", new Class[] { String[].class });
        } 
...
    }

最終會通過JNI調用 SystemServermain方法,怎么知道className是SystemServer
可以回去看1.3.1 startSystemServer, 里面有個參數args 會傳過來。

繼續看SystemServer 的main方法干了啥~
/frameworks/base/services/java/com/android/server/SystemServer.java

    public static void main(String[] args) {
        new SystemServer().run();
    }

    private void run() {
       System.loadLibrary("android_servers");
      // Start services.
        try {
            traceBeginAndSlog("StartServices");
            startBootstrapServices();  //1
            startCoreServices(); //2
            startOtherServices(); //3
            SystemServerInitThreadPool.shutdown();
        }

        // Loop forever.
        Looper.loop();

    }
  1. startBootstrapServices(); 啟動引導服務,太多了,列舉幾個吧

DeviceIdentifiersPolicyService
PowerManagerService
LightsService
DisplayManagerService
PackageManagerService
UserManagerService
...

  1. startCoreServices(); 啟動核心服務,不明白具體是什么服務就看下源碼注釋

DropBoxManagerService
DropBoxManagerService
BatteryService
UsageStatsService
WebViewUpdateService

  1. startOtherServices(); 其它服務有幾十個,列舉幾個常見的

NetworkManagementService
NetworkStatsService
WindowManagerService
InputManagerService
...

各種服務啟動之后,什么時候啟動桌面App呢?

2、 Launcher 的啟動

SystemServer啟動流程上面已經分析完了,那接下來應該是Launcher啟動了,Launcher 在哪里啟動的呢,尋尋覓覓之后發現是在 startOtherServices里,下面具體看一下

startOtherServices 里面有個重點服務要看一下

private void startOtherServices() {
 ...
        mActivityManagerService.systemReady(() -> {
            traceBeginAndSlog("StartActivityManagerReadyPhase");
            mSystemServiceManager.startBootPhase(
                    SystemService.PHASE_ACTIVITY_MANAGER_READY);
            ...
      }
}

ActivityManagerService#systemReady

在startOtherServices函數中,會調用ActivityManagerService的systemReady函數:
/frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java

public void systemReady(final Runnable goingCallback) {
...
synchronized (this) {
           ...
            mStackSupervisor.resumeFocusedStackTopActivityLocked();
            mUserController.sendUserSwitchBroadcastsLocked(-1, currentUserId);
        }
    }

systemReady函數中調用了ActivityStackSupervisor的resumeFocusedStackTopActivityLocked函數:
/frameworks/base/services/core/java/com/android/server/am/ActivityStackSupervisor.java

    boolean resumeFocusedStackTopActivityLocked() {
        return resumeFocusedStackTopActivityLocked(null, null, null);
    }

    boolean resumeFocusedStackTopActivityLocked(
            ActivityStack targetStack, ActivityRecord target, ActivityOptions targetOptions) {
        if (targetStack != null && isFocusedStack(targetStack)) {
//1
            return targetStack.resumeTopActivityUncheckedLocked(target, targetOptions);
        }
        final ActivityRecord r = mFocusedStack.topRunningActivityLocked();
        if (r == null || r.state != RESUMED) {
            mFocusedStack.resumeTopActivityUncheckedLocked(null, null);
        } else if (r.state == RESUMED) {
            // Kick off any lingering app transitions form the MoveTaskToFront operation.
            mFocusedStack.executeAppTransition(targetOptions);
        }
        return false;
    }

在注釋1處會調用ActivityStack的resumeTopActivityUncheckedLocked函數,ActivityStack對象是用來描述Activity堆棧的,resumeTopActivityUncheckedLocked函數如下所示。
/frameworks/base/services/core/java/com/android/server/am/ActivityStack.java

    boolean resumeTopActivityUncheckedLocked(ActivityRecord prev, ActivityOptions options) {
        if (mStackSupervisor.inResumeTopActivity) {
            // Don't even start recursing.
            return false;
        }

        boolean result = false;
        try {
            // Protect against recursion.
            mStackSupervisor.inResumeTopActivity = true;
//1
            result = resumeTopActivityInnerLocked(prev, options);
        } finally {
            mStackSupervisor.inResumeTopActivity = false;
        }
        // When resuming the top activity, it may be necessary to pause the top activity (for
        // example, returning to the lock screen. We suppress the normal pause logic in
        // {@link #resumeTopActivityUncheckedLocked}, since the top activity is resumed at the end.
        // We call the {@link ActivityStackSupervisor#checkReadyForSleepLocked} again here to ensure
        // any necessary pause logic occurs.
        mStackSupervisor.checkReadyForSleepLocked();

        return result;
    }

看注釋1,調用了resumeTopActivityInnerLocked函數:

 private boolean resumeTopActivityInnerLocked(ActivityRecord prev, ActivityOptions options) {
   ...
   return isOnHomeDisplay() &&
                        mStackSupervisor.resumeHomeStackTask(returnTaskType, prev, "prevFinished");
   ...                 
}

resumeTopActivityInnerLocked函數的代碼很長,我們截取我們要分析的關鍵的一句:調用ActivityStackSupervisor的resumeHomeStackTask函數,代碼如下所示。
/frameworks/base/services/core/java/com/android/server/am/ActivityStackSupervisor.java

boolean resumeHomeStackTask(int homeStackTaskType, ActivityRecord prev, String reason) {
    ...
    if (r != null && !r.finishing) {
        mService.setFocusedActivityLocked(r, myReason);
        return resumeFocusedStackTopActivityLocked(mHomeStack, prev, null);
    }
    return mService.startHomeActivityLocked(mCurrentUser, myReason);//1
}

最終調用了ActivityManagerService的startHomeActivityLocked函數,如下所示。
/frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java

    boolean startHomeActivityLocked(int userId, String reason) {
        if (mFactoryTest == FactoryTest.FACTORY_TEST_LOW_LEVEL
                && mTopAction == null) {
            // We are running in factory test mode, but unable to find
            // the factory test app, so just sit around displaying the
            // error message and don't try to start anything.
            return false;
        }
  //1 getHomeIntent
        Intent intent = getHomeIntent();
        ActivityInfo aInfo = resolveActivityInfo(intent, STOCK_PM_FLAGS, userId);
        if (aInfo != null) {
            intent.setComponent(new ComponentName(aInfo.applicationInfo.packageName, aInfo.name));
            // Don't do this if the home app is currently being
            // instrumented.
            aInfo = new ActivityInfo(aInfo);
            aInfo.applicationInfo = getAppInfoForUser(aInfo.applicationInfo, userId);
            ProcessRecord app = getProcessRecordLocked(aInfo.processName,
                    aInfo.applicationInfo.uid, true);
            if (app == null || app.instr == null) {
                intent.setFlags(intent.getFlags() | Intent.FLAG_ACTIVITY_NEW_TASK);
                final int resolvedUserId = UserHandle.getUserId(aInfo.applicationInfo.uid);
                // For ANR debugging to verify if the user activity is the one that actually
                // launched.
                final String myReason = reason + ":" + userId + ":" + resolvedUserId;
                mActivityStarter.startHomeActivityLocked(intent, aInfo, myReason);
            }
        } else {
            Slog.wtf(TAG, "No home screen found for " + intent, new Throwable());
        }

        return true;
    }

getHomeIntent 看下

    Intent getHomeIntent() {
        Intent intent = new Intent(mTopAction, mTopData != null ? Uri.parse(mTopData) : null);
        intent.setComponent(mTopComponent);
        intent.addFlags(Intent.FLAG_DEBUG_TRIAGED_MISSING);
        if (mFactoryTest != FactoryTest.FACTORY_TEST_LOW_LEVEL) {
            intent.addCategory(Intent.CATEGORY_HOME);
        }
        return intent;
    }

通過Intent 啟動了Launcher App,
也就是AMS的systemReady 函數做的事就是通過Intent 啟動了桌面app

三、總結

Android系統的啟動流程基本分析完了,畫一張簡陋的圖總結一下。

Android系統啟動流程

一般面試問到Android系統啟動流程,可以根據這個流程圖,說一下Zygote、SystemServer、Launcher的啟動流程大概是怎么樣的。

如果你沒有了解Android系統啟動流程,面試剛好問到這個問題,你回答說不會,那么即使你后面問題都回答的很好,最終得到的評價也就是中級偏上


todo:
1.3 ZygoteInit 的最后一個 zygoteServer.runSelectLoop(abiList);
方法開啟一個無限循環,等待ActivityManagerService來連接這個socket然后調用ZygoteConnection.runOnce函數來創建新的應用程序進程,后面分析應用啟動流程的時候再說。

Launcher啟動參考:
http://www.lxweimin.com/p/33152a7bec26

大家最好找個時間自己動手去實踐一下,源碼分析類的文章,從頭看到尾,不去實踐,很快就忘掉了,不會有太大的收獲。

最后編輯于
?著作權歸作者所有,轉載或內容合作請聯系作者
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發布,文章內容僅代表作者本人觀點,簡書系信息發布平臺,僅提供信息存儲服務。