今天群里有人问ActivityManagerService是怎么创建的,我就写下这篇文章,权当做个知识的温故。
注意,阅读本篇文章需要了解binder的知识,以及一些framework源码相关知识储备。
val activityManager: ActivityManager = getSystemService(Context.ACTIVITY_SERVICE) as ActivityManager
val runningTaskInfos = activityManager.getRunningTasks(1)
val topActivityClassName = runningTaskInfos[0].topActivity.className
我们常常会用这个代码来判断应用是否在前台,那么来看一下具体是怎么实现查询的:
public List<RunningTaskInfo> getRunningTasks(int maxNum)
throws SecurityException {
try {
return getService().getTasks(maxNum);
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
}
public static IActivityManager getService() {
return IActivityManagerSingleton.get();
}
private static final Singleton<IActivityManager> IActivityManagerSingleton =
new Singleton<IActivityManager>() {
@Override
protected IActivityManager create() {
final IBinder b = ServiceManager.getService(Context.ACTIVITY_SERVICE);
final IActivityManager am = IActivityManager.Stub.asInterface(b);
return am;
}
};
是通过IActivityManager#getTasks来实现查询的。那么IActivityManager是什么呢?
ServiceManager#getService
public static IBinder getService(String name) {
try {
IBinder service = sCache.get(name);
if (service != null) {
return service;
} else {
return Binder.allowBlocking(rawGetService(name));
}
} catch (RemoteException e) {
Log.e(TAG, "error in getService", e);
}
return null;
}
在继续分析之前,我必须得先普及一个知识点,要不然无法说下去了。- -
当我们手机开机的时候,系统会启动各种系统级进程,其中第一个开启的进程叫system_server,来看下他的方法:
/**
* The main entry point from zygote.
*/
public static void main(String[] args) {
new SystemServer().run();
}
看注释,他就是启动方法,直接创建了一个对象并调用了run方法:
private void run() {
...
startBootstrapServices();
...
}
private void startBootstrapServices() {
mActivityManagerService = mSystemServiceManager.startService(
ActivityManagerService.Lifecycle.class).getService();
}
public <T extends SystemService> T startService(Class<T> serviceClass) {
final T service;
Constructor<T> constructor = serviceClass.getConstructor(Context.class);
service = constructor.newInstance(mContext);
startService(service);
return service;
}
逻辑很简单,就是通过反射创建了ActivityManagerService.Lifecycle对象,然后调用了他的getservice方法。
public static final class Lifecycle extends SystemService {
private final ActivityManagerService mService;
public Lifecycle(Context context) {
super(context);
mService = new ActivityManagerService(context);
}
@Override
public void onStart() {
mService.start();
}
@Override
public void onBootPhase(int phase) {
mService.mBootPhase = phase;
if (phase == PHASE_SYSTEM_SERVICES_READY) {
mService.mBatteryStatsService.systemServicesReady();
mService.mServices.systemServicesReady();
}
}
@Override
public void onCleanupUser(int userId) {
mService.mBatteryStatsService.onCleanupUser(userId);
}
public ActivityManagerService getService() {
return mService;
}
}
很简单,最终返回的是一个叫ActivityManagerService的对象,那么也mActivityManagerService就是ActivityManagerService对象。
再继续往下看:
mActivityManagerService.setSystemProcess();
public void setSystemProcess() {
ServiceManager.addService(Context.ACTIVITY_SERVICE, this, /* allowIsolated= */ true,
DUMP_FLAG_PRIORITY_CRITICAL | DUMP_FLAG_PRIORITY_NORMAL | DUMP_FLAG_PROTO);
}
public static void addService(String name, IBinder service, boolean allowIsolated,
int dumpPriority) {
try {
getIServiceManager().addService(name, service, allowIsolated, dumpPriority);
} catch (RemoteException e) {
Log.e(TAG, "error in addService", e);
}
}
private static IServiceManager getIServiceManager() {
if (sServiceManager != null) {
return sServiceManager;
}
// Find the service manager
sServiceManager = ServiceManagerNative
.asInterface(Binder.allowBlocking(BinderInternal.getContextObject()));
return sServiceManager;
}
把ActivityManagerService添加到了IServiceManager,那么IServiceManager又是什么呢?
static public IServiceManager asInterface(IBinder obj)
{
if (obj == null) {
return null;
}
IServiceManager in =
(IServiceManager)obj.queryLocalInterface(descriptor);
if (in != null) {
return in;
}
return new ServiceManagerProxy(obj);
}
原来IServiceManager是一个远程binder的代理,猜名字对应的binder本体应该就是具体实现存储ActivityManagerService的。
好了,普及的知识点讲完了,我们回到开头。
public static IBinder getService(String name) {
try {
IBinder service = sCache.get(name);
if (service != null) {
return service;
} else {
return Binder.allowBlocking(rawGetService(name));
}
} catch (RemoteException e) {
Log.e(TAG, "error in getService", e);
}
return null;
}
sCache是个静态map,缓存了好多系统服务。但是ams并不在里面。为什么这么说?我们来看下源码。
public static void initServiceCache(Map<String, IBinder> cache) {
if (sCache.size() != 0) {
throw new IllegalStateException("setServiceCache may only be called once");
}
sCache.putAll(cache);
}
activityManager有个初始化的方法把存储服务的map传进来,这个方法是在哪里调用的呢?我直接告诉大家:
public static void main(String[] args) {
ActivityThread thread = new ActivityThread();
thread.attach(false, startSeq);
}
private void attach(boolean system, long startSeq) {
final IActivityManager mgr = ActivityManager.getService();
mgr.attachApplication(mAppThread, startSeq);
}
这是activityThread的方法,他是我们自己进程在java层的起点,在我们自己进程启动的时候就会走main方法,然后调用了attach方法,获取了ams的binder代理,调用attachApplication方法,那么我们进ams看一下这个方法:
@Override
public final void attachApplication(IApplicationThread thread, long startSeq) {
synchronized (this) {
int callingPid = Binder.getCallingPid();
final int callingUid = Binder.getCallingUid();
final long origId = Binder.clearCallingIdentity();
attachApplicationLocked(thread, callingPid, callingUid, startSeq);
Binder.restoreCallingIdentity(origId);
}
}
private final boolean attachApplicationLocked(IApplicationThread thread,
int pid, int callingUid, long startSeq) {
thread.bindApplication(processName, appInfo, providers, null, profilerInfo,
null, null, null, testMode,
mBinderTransactionTrackingEnabled, enableTrackAllocation,
isRestrictedBackupMode || !normalMode, app.persistent,
new Configuration(getGlobalConfiguration()), app.compat,
getCommonServicesLocked(app.isolated),
mCoreSettingsObserver.getCoreSettingsLocked(),
buildSerial, isAutofillCompatEnabled);
}
然后会调用thread#bindApplication方法,这里的thread是ApplicationThread。他是ActivityThread的内部类,他是一个binder本体,主要作用是当IPC调用的时候,供系统的服务进程远程调用,将方法调用栈回到我们自己的应用进程。注意倒数第4个参数:
private ArrayMap<String, IBinder> getCommonServicesLocked(boolean isolated) {
if (mAppBindArgs == null) {
mAppBindArgs = new ArrayMap<>();
// Add common services.
// IMPORTANT: Before adding services here, make sure ephemeral apps can access them too.
// Enable the check in ApplicationThread.bindApplication() to make sure.
addServiceToMap(mAppBindArgs, "package");
addServiceToMap(mAppBindArgs, Context.WINDOW_SERVICE);
addServiceToMap(mAppBindArgs, Context.ALARM_SERVICE);
addServiceToMap(mAppBindArgs, Context.DISPLAY_SERVICE);
addServiceToMap(mAppBindArgs, Context.NETWORKMANAGEMENT_SERVICE);
addServiceToMap(mAppBindArgs, Context.CONNECTIVITY_SERVICE);
addServiceToMap(mAppBindArgs, Context.ACCESSIBILITY_SERVICE);
addServiceToMap(mAppBindArgs, Context.INPUT_METHOD_SERVICE);
addServiceToMap(mAppBindArgs, Context.INPUT_SERVICE);
addServiceToMap(mAppBindArgs, "graphicsstats");
addServiceToMap(mAppBindArgs, Context.APP_OPS_SERVICE);
addServiceToMap(mAppBindArgs, "content");
addServiceToMap(mAppBindArgs, Context.JOB_SCHEDULER_SERVICE);
addServiceToMap(mAppBindArgs, Context.NOTIFICATION_SERVICE);
addServiceToMap(mAppBindArgs, Context.VIBRATOR_SERVICE);
addServiceToMap(mAppBindArgs, Context.ACCOUNT_SERVICE);
addServiceToMap(mAppBindArgs, Context.POWER_SERVICE);
addServiceToMap(mAppBindArgs, Context.USER_SERVICE);
addServiceToMap(mAppBindArgs, "mount");
}
return mAppBindArgs;
}
看到没,这里加了一大堆服务到map中,然后把这个map通过applicationThread返回到我们自己的进程。
public final void bindApplication(String processName, ApplicationInfo appInfo,
List<ProviderInfo> providers, ComponentName instrumentationName,
ProfilerInfo profilerInfo, Bundle instrumentationArgs,
IInstrumentationWatcher instrumentationWatcher,
IUiAutomationConnection instrumentationUiConnection, int debugMode,
boolean enableBinderTracking, boolean trackAllocation,
boolean isRestrictedBackupMode, boolean persistent, Configuration config,
CompatibilityInfo compatInfo, Map services, Bundle coreSettings,
String buildSerial, boolean autofillCompatibilityEnabled) {
ServiceManager.initServiceCache(services);
}
这样,我们自己进程的ServiceManager内部的map就拥有了刚才通过binder远程获取到的服务的代理,然后并没有ams。
public static IBinder getService(String name) {
try {
IBinder service = sCache.get(name);
if (service != null) {
return service;
} else {
return Binder.allowBlocking(rawGetService(name));
}
} catch (RemoteException e) {
Log.e(TAG, "error in getService", e);
}
return null;
}
因为sCache没有ams,所以肯定是通过rawGetService方法获取的:
private static IBinder rawGetService(String name) throws RemoteException {
final IBinder binder = getIServiceManager().getService(name);
return binder;
}
通过IServiceManager #getService获取,我们之前在开机的时候已经往IServiceManager的远程binder存入过ams了,所以这里自然能取到他的远程代理。
这里还有点要注意:
sServiceManager = ServiceManagerNative
.asInterface(Binder.allowBlocking(BinderInternal.getContextObject()));
那么这里传入的binder又是哪里来的呢?这就好比鸡生蛋的问题。
/**
* Return the global "context object" of the system. This is usually
* an implementation of IServiceManager, which you can use to find
* other services.
*/
public static final native IBinder getContextObject();
这是一个native方法,看注释,这是一个全局对象,这个全局是针对整个系统的。他通常是IServiceManager的实现类。你可以通过他来找到其他的系统服务。那我们来看一下他的具体实现。
文件位于frameworks/base/core/jni/android_util_Binder.cpp
static jobject android_os_BinderInternal_getContextObject(JNIEnv* env, jobject clazz)
{
sp<IBinder> b = ProcessState::self()->getContextObject(NULL);
return javaObjectForIBinder(env, b);
}
这里初始化了ProcessState的构造函数,并调用了他的getContextObject函数。
ProcessState文件位于frameworks\base\libs\binder\ProcessState.cpp
sp<IBinder> ProcessState::getContextObject(const sp<IBinder>& caller)
{
if (supportsProcesses()) {
return getStrongProxyForHandle(0);
} else {
return getContextObject(String16("default"), caller);
}
}
sp<IBinder> ProcessState::getStrongProxyForHandle(int32_t handle)
{
...
if (e != NULL) {
...
IBinder* b = e->binder;
if (b == NULL || !e->refs->attemptIncWeak(this)) {
b = new BpBinder(handle); //new了一个BpBinder
e->binder = b;
if (b) e->refs = b->getWeakRefs();
result = b;
} else {
...
result.force_set(b);
e->refs->decWeak(this);
}
}
return result;
}
可以看到,new了一个BpBinder返回。再回到android_os_BinderInternal_getContextObject函数:
static jobject android_os_BinderInternal_getContextObject(JNIEnv* env, jobject clazz)
{
sp<IBinder> b = ProcessState::self()->getContextObject(NULL);
return javaObjectForIBinder(env, b);
}
jobject javaObjectForIBinder(JNIEnv* env, const sp<IBinder>& val)
{
if (val == NULL) return NULL;
//返回false
if (val->checkSubclass(&gBinderOffsets)) {
jobject object = static_cast<JavaBBinder*>(val.get())->object();
return object;
}
AutoMutex _l(mProxyLock);
jobject object = (jobject)val->findObject(&gBinderProxyOffsets);
if (object != NULL) {
jobject res = jniGetReferent(env, object);
if (res != NULL) {
return res;
}
android_atomic_dec(&gNumProxyRefs);
val->detachObject(&gBinderProxyOffsets);
env->DeleteGlobalRef(object);
}
//创建BinderProxy对象
object = env->NewObject(gBinderProxyOffsets.mClass, gBinderProxyOffsets.mConstructor);
return object;
}
最终返回给java层的是BinderProxy对象。再回过来看之前的代码:
sServiceManager = ServiceManagerNative
.asInterface(Binder.allowBlocking(BinderInternal.getContextObject()));
static public IServiceManager asInterface(IBinder obj)
{
if (obj == null) {
return null;
}
IServiceManager in =
(IServiceManager)obj.queryLocalInterface(descriptor);
if (in != null) {
return in;
}
return new ServiceManagerProxy(obj);
}
刚才已经分析了,asInterface方法传入的参数是在c++层创建返回的BinderProxy,然后看他的queryLocalInterface方法:
public IInterface queryLocalInterface(String descriptor) {
return null;
}
返回了null,所以最终IServiceManager 其实就是ServiceManagerProxy:
class ServiceManagerProxy implements IServiceManager {
public ServiceManagerProxy(IBinder remote) {
mRemote = remote;
}
public void addService(String name, IBinder service, boolean allowIsolated, int dumpPriority)
throws RemoteException {
Parcel data = Parcel.obtain();
Parcel reply = Parcel.obtain();
data.writeInterfaceToken(IServiceManager.descriptor);
data.writeString(name);
data.writeStrongBinder(service);
data.writeInt(allowIsolated ? 1 : 0);
data.writeInt(dumpPriority);
mRemote.transact(ADD_SERVICE_TRANSACTION, data, reply, 0);
reply.recycle();
data.recycle();
}
public IBinder getService(String name) throws RemoteException {
Parcel data = Parcel.obtain();
Parcel reply = Parcel.obtain();
data.writeInterfaceToken(IServiceManager.descriptor);
data.writeString(name);
mRemote.transact(GET_SERVICE_TRANSACTION, data, reply, 0);
IBinder binder = reply.readStrongBinder();
reply.recycle();
data.recycle();
return binder;
}
}
了解binder的同学就很熟悉了,这就是个binder本地代理,如果调用他的addService,实际上是调用BinderProxy的transact:
public boolean transact(int code, Parcel data, Parcel reply, int flags) throws RemoteException {
Element.getMethodName());
}
try {
return transactNative(code, data, reply, flags);
} finally {
if (tracingEnabled) {
Trace.traceEnd(Trace.TRACE_TAG_ALWAYS);
}
}
}
public native boolean transactNative(int code, Parcel data, Parcel reply,
int flags) throws RemoteException;
最终调用了native方法transactNative,这里面通过jni委托c++层的BpBinder去执行。
本文的跨度有点大,需要总结一下。如果能把总结读懂了,那么这篇文章就算看懂了。
系统在启动的时候会启动一个叫system_server的进程,这个进程又会去启动servicemanager进程,由他来保存并管理各种系统服务,包括我们本篇说的ams。systemServer会创建ams并把他注册到servicemanager。那是注册的呢?这里要用到IServiceManager,他的具体实现是ServiceManagerProxy,实际上又是通过ProxyBinder,他是servicemanager本身binder的远程代理,通过jni就能最终实现ams的注册。同理,也能通过同样的方法获取ams。
