如果你自認為是一個Android高級工程師,或者正在通往高級工程師路上,那么Android系統啟動流程你是必須要了解的,這篇文章將手把手帶你閱讀Android系統源碼,了解Android系統啟動流程。
沒有源碼?沒關系,可以在線看嘛!
這篇文章主要涉及以下內容:
1. Zygote進程啟動
2. SystemServer 進程啟動
3. Launcher啟動
參考8.0源碼 https://www.androidos.net.cn/android/8.0.0_r4/xref/
我們開始吧~
一、Zygote 進程啟動流程
首先,Zygote 進程是由init進程拉起的,
簡單說下init進程,init進程是手機開機的第一個進程,
對 init進程 有興趣的可以參考
http://www.lxweimin.com/p/1d3e722871e8
init進程做的事:
- 創建文件并掛載
- 初始化和啟動屬性服務
- 解析init.rc配置文件并啟動zygote進程
init進程啟動之后會去解析init.rc配置文件,配置文件定義了要啟動的服務,Zygote就是要啟動的服務之一,除此之外還有ServerManager進程等,Zygote啟動腳本可以看init.zygote32.rc,64位也是差不多的。
/system/core/rootdir/init.zygote32.rc
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
class main
priority -20
user root
group root readproc
socket zygote stream 660 root system
onrestart write /sys/android_power/request_state wake
onrestart write /sys/power/state on
onrestart restart audioserver
onrestart restart cameraserver
onrestart restart media
onrestart restart netd
onrestart restart wificond
writepid /dev/cpuset/foreground/tasks
第一行,創建一個名叫 zygote 的進程,這個進程的可執行程序路徑是
/system/bin/app_process,-Xzygote /system/bin --zygote --start-system-server是要傳入到app_process程序中的參數。socket zygote stream 660 root system,這一句是啟動一個名叫zygote的socket,ActivityManagerService進程和Zygote進程通信就是通過這個socket,主要作用是AMS請求Zygote進程fork出一個新的應用程序進程,后面分析應用啟動流程會詳細介紹。
擴展一下,xposed的原理就是通過替換了app_process,實現對Zygote進程的控制。
1.1 Zygote進程啟動之后做了什么事?
Zygote的可執行程序路徑在/system/bin/app_process ,
root手機之后可以通過RE管理器查看,
對應代碼在
/frameworks/base/cmds/app_process/app_main.cpp
int main(int argc, char* const argv[])
{
AppRuntime runtime(argv[0], computeArgBlockSize(argc, argv));
...
if (zygote) {
//這里會去調用ZygoteInit 的main方法
runtime.start("com.android.internal.os.ZygoteInit", args, zygote);
} else if (className) {
runtime.start("com.android.internal.os.RuntimeInit", args, zygote);
} else {
fprintf(stderr, "Error: no class name or --zygote supplied.\n");
app_usage();
LOG_ALWAYS_FATAL("app_process: no class name or --zygote supplied.");
}
}
runtime指的就是AppRuntime,AppRuntime繼承自AndroidRuntime,
class AppRuntime : public AndroidRuntime
{...
也就是我們調用start函數其實是調用AndroidRuntime的start函數:
先看AndroidRuntime,源碼在/frameworks/base/core/jni/AndroidRuntime.cpp
1.2 AndroidRuntime
void AndroidRuntime::start(const char* className, const Vector<String8>& options, bool zygote)
{
/* start the virtual machine */
JniInvocation jni_invocation;
jni_invocation.Init(NULL);
JNIEnv* env;
//1
if (startVm(&mJavaVM, &env, zygote) != 0) {
return;
}
onVmCreated(env);
//2
/*
* Register android functions.
*/
if (startReg(env) < 0) {
ALOGE("Unable to register all android natives\n");
return;
}
...
//3 這里的startClass 是 com.android.internal.os.ZygoteInit
jmethodID startMeth = env->GetStaticMethodID(startClass, "main",
"([Ljava/lang/String;)V");
if (startMeth == NULL) {
ALOGE("JavaVM unable to find main() in '%s'\n", className);
/* keep going */
} else {
env->CallStaticVoidMethod(startClass, startMeth, strArray);
}
start主要做三件事:
1. 調用startVm(), 啟動Java虛擬機
2. 調用startReg() ,注冊JNI函數
3. 調用 env->CallStaticVoidMethod(startClass, startMeth, strArray);通過JNI調用Java的 ZygoteInit 類的main方法。
看下 ZygoteInit.java 的main方法
1.3 ZygoteInit#mian
/frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
public static void main(String argv[]) {
ZygoteServer zygoteServer = new ZygoteServer();
...
//1.創建socket
zygoteServer.registerServerSocket(socketName);
// In some configurations, we avoid preloading resources and classes eagerly.
// In such cases, we will preload things prior to our first fork.
if (!enableLazyPreload) {
// 2.預加載資源
preload(bootTimingsTraceLog);
} else {
Zygote.resetNicePriority();
}
// Do an initial gc to clean up after startup
gcAndFinalize();
// Zygote process unmounts root storage spaces.
Zygote.nativeUnmountStorageOnInit();
//3. startSystemServer
if (startSystemServer) {
startSystemServer(abiList, socketName, zygoteServer);
}
Log.i(TAG, "Accepting command socket connections");
//4、啟動loop循環
zygoteServer.runSelectLoop(abiList);
zygoteServer.closeServerSocket();
}
}
主要關注以下幾點:
1. 創建服務端socket。(socket需要客戶端和服務端,這個可以理解)
2. preload 預加載資源(常用的類、主題資源、共享庫等)
3. startSystemServer 啟動系統服務,重點
4. zygoteServer.runSelectLoop(abiList);
開啟無限循環等待AMS發送通知去fork一個新的應用進程
第1、2點很好理解,
第3點的 startSystemServer 先看一下
1.3.1 startSystemServer
private static boolean startSystemServer(String abiList, String socketName, ZygoteServer zygoteServer)
throws Zygote.MethodAndArgsCaller, RuntimeException {
int pid;
String args[] = {
"--setuid=1000",
"--setgid=1000",
"--setgroups=1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1018,1021,1023,1032,3001,3002,3003,3006,3007,3009,3010",
"--capabilities=" + capabilities + "," + capabilities,
"--nice-name=system_server",
"--runtime-args",
"com.android.server.SystemServer", // 注意這里類名,
};
ZygoteConnection.Arguments parsedArgs = null;
try {
parsedArgs = new ZygoteConnection.Arguments(args);
ZygoteConnection.applyDebuggerSystemProperty(parsedArgs);
ZygoteConnection.applyInvokeWithSystemProperty(parsedArgs);
//1 fork進程
/* Request to fork the system server process */
pid = Zygote.forkSystemServer(
parsedArgs.uid, parsedArgs.gid,
parsedArgs.gids,
parsedArgs.debugFlags,
null,
parsedArgs.permittedCapabilities,
parsedArgs.effectiveCapabilities);
} catch (IllegalArgumentException ex) {
throw new RuntimeException(ex);
}
/* For child process */
if (pid == 0) {
if (hasSecondZygote(abiList)) {
waitForSecondaryZygote(socketName);
}
//2. socket也復制過來了,先關掉
zygoteServer.closeServerSocket();
handleSystemServerProcess(parsedArgs);
}
}
通過Zygote.forkSystemServer 創建了 SystemServer,
這也就驗證了 SystemServer 是由 Zygote 負責啟動的。
fork一個子進程,pid返回0,最后一句調用 handleSystemServerProcess
1.3.2 handleSystemServerProcess
private static void handleSystemServerProcess(ZygoteConnection.Arguments parsedArgs)
throws Zygote.MethodAndArgsCaller {
...
if (parsedArgs.invokeWith != null) {
...
} else {
ClassLoader cl = null;
if (systemServerClasspath != null) {
cl = createPathClassLoader(systemServerClasspath, parsedArgs.targetSdkVersion);
Thread.currentThread().setContextClassLoader(cl);
}
//1.重點
/*
* Pass the remaining arguments to SystemServer.
*/
ZygoteInit.zygoteInit(parsedArgs.targetSdkVersion, parsedArgs.remainingArgs, cl);
}
/* should never reach here */
}
最關鍵的就是最后一句ZygoteInit.zygoteInit(parsedArgs.targetSdkVersion, parsedArgs.remainingArgs, cl)
1.3.3 ZygoteInit.zygoteInit
public static final void zygoteInit(int targetSdkVersion, String[] argv,
ClassLoader classLoader) throws Zygote.MethodAndArgsCaller {
if (RuntimeInit.DEBUG) {
Slog.d(RuntimeInit.TAG, "RuntimeInit: Starting application from zygote");
}
Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "ZygoteInit");
//將 System.out 和 System.err 定向到Android日志中
RuntimeInit.redirectLogStreams();
RuntimeInit.commonInit();
ZygoteInit.nativeZygoteInit();
RuntimeInit.applicationInit(targetSdkVersion, argv, classLoader);
}
- 將 System.out 和 System.err 定向到Android日志中
- 調用 commonInit(),進行基本的初始化
- 調用nativeZygoteInit(),這個native方法去初始化一個Binder用來做進程間通信,下面會分析
- 在 RuntimeInit.applicationInit(targetSdkVersion, argv, classLoader);中調用 invokeStaticMain(args.startClass, args.startArgs, classLoader);這個方法會調用SystemServer這個類的main方法
重點看3和4
下面我們先看看nativeZygoteInit()方法中做了什么
1.3.4 ZygoteInit #nativeZygoteInit
它對應的實現在
/frameworks/base/core/jni/AndroidRuntime.cpp
static AndroidRuntime* gCurRuntime = NULL;
static void com_android_internal_os_ZygoteInit_nativeZygoteInit(JNIEnv* env, jobject clazz)
{
gCurRuntime->onZygoteInit();
}
gCurRuntime其實就是AndroidRuntime本身,然后再去找onZygoteInit()方法,但是我們在AndroidRuntime.cpp文件中沒有找到,最后發現AndroidRuntime的子類AppRuntime實現了onZygoteInit()方法。
AppRuntime繼承了AndroidRuntime,所以定位到AppRuntime中,源碼在/frameworks/base/cmds/app_process/app_main.cpp
virtual void onZygoteInit()
{
sp<ProcessState> proc = ProcessState::self();
ALOGV("App process: starting thread pool.\n");
proc->startThreadPool();
}
調用了ProcessState的startThreadPool()方法,ProcessState類位于
/frameworks/native/libs/binder/ProcessState.cpp
void ProcessState::startThreadPool()
{
AutoMutex _l(mLock);
if (!mThreadPoolStarted) {
mThreadPoolStarted = true;
spawnPooledThread(true);
}
}
這個方法主要是啟動一個線程池,該線程池中的線程主要是負責和binder驅動程序進行交互的,ProcessState是Binder進程間通信的一個基礎組件,這里我們就不深究了,我們只需要知道nativeZygoteInit()方法初始化了一個線程池用于Binder進程之間的通信,這個方法執行完后,Binder進程間通信基礎就準備好了
回到1.3.3 的第四點繼續看,RuntimeInit.applicationInit(...)
1.3.5 RuntimeInit.applicationInit
/frameworks/base/core/java/com/android/internal/os/RuntimeInit.java
protected static void applicationInit(int targetSdkVersion, String[] argv, ClassLoader classLoader)
throws Zygote.MethodAndArgsCaller {
VMRuntime.getRuntime().setTargetHeapUtilization(0.75f);
VMRuntime.getRuntime().setTargetSdkVersion(targetSdkVersion);
...
invokeStaticMain(args.startClass, args.startArgs, classLoader);
}
private static void invokeStaticMain(String className, String[] argv, ClassLoader classLoader)
throws Zygote.MethodAndArgsCaller {
Class<?> cl;
try {
cl = Class.forName(className, true, classLoader);
}
Method m;
try {
//1 調用main 方法
m = cl.getMethod("main", new Class[] { String[].class });
}
...
}
最終會通過JNI調用 SystemServer 的main方法,怎么知道className是SystemServer?
可以回去看1.3.1 startSystemServer, 里面有個參數args 會傳過來。
繼續看SystemServer 的main方法干了啥~
/frameworks/base/services/java/com/android/server/SystemServer.java
public static void main(String[] args) {
new SystemServer().run();
}
private void run() {
System.loadLibrary("android_servers");
// Start services.
try {
traceBeginAndSlog("StartServices");
startBootstrapServices(); //1
startCoreServices(); //2
startOtherServices(); //3
SystemServerInitThreadPool.shutdown();
}
// Loop forever.
Looper.loop();
}
- startBootstrapServices(); 啟動引導服務,太多了,列舉幾個吧
DeviceIdentifiersPolicyService
PowerManagerService
LightsService
DisplayManagerService
PackageManagerService
UserManagerService
...
- startCoreServices(); 啟動核心服務,不明白具體是什么服務就看下源碼注釋
DropBoxManagerService
DropBoxManagerService
BatteryService
UsageStatsService
WebViewUpdateService
- startOtherServices(); 其它服務有幾十個,列舉幾個常見的
NetworkManagementService
NetworkStatsService
WindowManagerService
InputManagerService
...
各種服務啟動之后,什么時候啟動桌面App呢?
2、 Launcher 的啟動
SystemServer啟動流程上面已經分析完了,那接下來應該是Launcher啟動了,Launcher 在哪里啟動的呢,尋尋覓覓之后發現是在 startOtherServices里,下面具體看一下
startOtherServices 里面有個重點服務要看一下
private void startOtherServices() {
...
mActivityManagerService.systemReady(() -> {
traceBeginAndSlog("StartActivityManagerReadyPhase");
mSystemServiceManager.startBootPhase(
SystemService.PHASE_ACTIVITY_MANAGER_READY);
...
}
}
ActivityManagerService#systemReady
在startOtherServices函數中,會調用ActivityManagerService的systemReady函數:
/frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java
public void systemReady(final Runnable goingCallback) {
...
synchronized (this) {
...
mStackSupervisor.resumeFocusedStackTopActivityLocked();
mUserController.sendUserSwitchBroadcastsLocked(-1, currentUserId);
}
}
systemReady函數中調用了ActivityStackSupervisor的resumeFocusedStackTopActivityLocked函數:
/frameworks/base/services/core/java/com/android/server/am/ActivityStackSupervisor.java
boolean resumeFocusedStackTopActivityLocked() {
return resumeFocusedStackTopActivityLocked(null, null, null);
}
boolean resumeFocusedStackTopActivityLocked(
ActivityStack targetStack, ActivityRecord target, ActivityOptions targetOptions) {
if (targetStack != null && isFocusedStack(targetStack)) {
//1
return targetStack.resumeTopActivityUncheckedLocked(target, targetOptions);
}
final ActivityRecord r = mFocusedStack.topRunningActivityLocked();
if (r == null || r.state != RESUMED) {
mFocusedStack.resumeTopActivityUncheckedLocked(null, null);
} else if (r.state == RESUMED) {
// Kick off any lingering app transitions form the MoveTaskToFront operation.
mFocusedStack.executeAppTransition(targetOptions);
}
return false;
}
在注釋1處會調用ActivityStack的resumeTopActivityUncheckedLocked函數,ActivityStack對象是用來描述Activity堆棧的,resumeTopActivityUncheckedLocked函數如下所示。
/frameworks/base/services/core/java/com/android/server/am/ActivityStack.java
boolean resumeTopActivityUncheckedLocked(ActivityRecord prev, ActivityOptions options) {
if (mStackSupervisor.inResumeTopActivity) {
// Don't even start recursing.
return false;
}
boolean result = false;
try {
// Protect against recursion.
mStackSupervisor.inResumeTopActivity = true;
//1
result = resumeTopActivityInnerLocked(prev, options);
} finally {
mStackSupervisor.inResumeTopActivity = false;
}
// When resuming the top activity, it may be necessary to pause the top activity (for
// example, returning to the lock screen. We suppress the normal pause logic in
// {@link #resumeTopActivityUncheckedLocked}, since the top activity is resumed at the end.
// We call the {@link ActivityStackSupervisor#checkReadyForSleepLocked} again here to ensure
// any necessary pause logic occurs.
mStackSupervisor.checkReadyForSleepLocked();
return result;
}
看注釋1,調用了resumeTopActivityInnerLocked函數:
private boolean resumeTopActivityInnerLocked(ActivityRecord prev, ActivityOptions options) {
...
return isOnHomeDisplay() &&
mStackSupervisor.resumeHomeStackTask(returnTaskType, prev, "prevFinished");
...
}
resumeTopActivityInnerLocked函數的代碼很長,我們截取我們要分析的關鍵的一句:調用ActivityStackSupervisor的resumeHomeStackTask函數,代碼如下所示。
/frameworks/base/services/core/java/com/android/server/am/ActivityStackSupervisor.java
boolean resumeHomeStackTask(int homeStackTaskType, ActivityRecord prev, String reason) {
...
if (r != null && !r.finishing) {
mService.setFocusedActivityLocked(r, myReason);
return resumeFocusedStackTopActivityLocked(mHomeStack, prev, null);
}
return mService.startHomeActivityLocked(mCurrentUser, myReason);//1
}
最終調用了ActivityManagerService的startHomeActivityLocked函數,如下所示。
/frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java
boolean startHomeActivityLocked(int userId, String reason) {
if (mFactoryTest == FactoryTest.FACTORY_TEST_LOW_LEVEL
&& mTopAction == null) {
// We are running in factory test mode, but unable to find
// the factory test app, so just sit around displaying the
// error message and don't try to start anything.
return false;
}
//1 getHomeIntent
Intent intent = getHomeIntent();
ActivityInfo aInfo = resolveActivityInfo(intent, STOCK_PM_FLAGS, userId);
if (aInfo != null) {
intent.setComponent(new ComponentName(aInfo.applicationInfo.packageName, aInfo.name));
// Don't do this if the home app is currently being
// instrumented.
aInfo = new ActivityInfo(aInfo);
aInfo.applicationInfo = getAppInfoForUser(aInfo.applicationInfo, userId);
ProcessRecord app = getProcessRecordLocked(aInfo.processName,
aInfo.applicationInfo.uid, true);
if (app == null || app.instr == null) {
intent.setFlags(intent.getFlags() | Intent.FLAG_ACTIVITY_NEW_TASK);
final int resolvedUserId = UserHandle.getUserId(aInfo.applicationInfo.uid);
// For ANR debugging to verify if the user activity is the one that actually
// launched.
final String myReason = reason + ":" + userId + ":" + resolvedUserId;
mActivityStarter.startHomeActivityLocked(intent, aInfo, myReason);
}
} else {
Slog.wtf(TAG, "No home screen found for " + intent, new Throwable());
}
return true;
}
getHomeIntent 看下
Intent getHomeIntent() {
Intent intent = new Intent(mTopAction, mTopData != null ? Uri.parse(mTopData) : null);
intent.setComponent(mTopComponent);
intent.addFlags(Intent.FLAG_DEBUG_TRIAGED_MISSING);
if (mFactoryTest != FactoryTest.FACTORY_TEST_LOW_LEVEL) {
intent.addCategory(Intent.CATEGORY_HOME);
}
return intent;
}
通過Intent 啟動了Launcher App,
也就是AMS的systemReady 函數做的事就是通過Intent 啟動了桌面app
三、總結
Android系統的啟動流程基本分析完了,畫一張簡陋的圖總結一下。
一般面試問到Android系統啟動流程,可以根據這個流程圖,說一下Zygote、SystemServer、Launcher的啟動流程大概是怎么樣的。
如果你沒有了解Android系統啟動流程,面試剛好問到這個問題,你回答說不會,那么即使你后面問題都回答的很好,最終得到的評價也就是中級偏上。
todo:
1.3 ZygoteInit 的最后一個 zygoteServer.runSelectLoop(abiList);
方法開啟一個無限循環,等待ActivityManagerService來連接這個socket然后調用ZygoteConnection.runOnce函數來創建新的應用程序進程,后面分析應用啟動流程的時候再說。
Launcher啟動參考:
http://www.lxweimin.com/p/33152a7bec26
大家最好找個時間自己動手去實踐一下,源碼分析類的文章,從頭看到尾,不去實踐,很快就忘掉了,不會有太大的收獲。
