如果你自认为是一个Android高级工程师,或者正在通往高级工程师路上,那么Android系统启动流程你是必须要了解的,这篇文章将手把手带你阅读Android系统源码,了解Android系统启动流程。
没有源码?没关系,可以在线看嘛!
这篇文章主要涉及以下内容:
1. Zygote进程启动
2. SystemServer 进程启动
3. Launcher启动
参考8.0源码 https://www.androidos.net.cn/android/8.0.0_r4/xref/
我们开始吧~
一、Zygote 进程启动流程
首先,Zygote 进程是由init进程拉起的,
简单说下init进程,init进程是手机开机的第一个进程,
对 init进程 有兴趣的可以参考
https://www.jianshu.com/p/1d3e722871e8
init进程做的事:
- 创建文件并挂载
- 初始化和启动属性服务
- 解析init.rc配置文件并启动zygote进程
init进程启动之后会去解析init.rc
配置文件,配置文件定义了要启动的服务,Zygote就是要启动的服务之一,除此之外还有ServerManager进程等,Zygote启动脚本可以看init.zygote32.rc
,64位也是差不多的。
/system/core/rootdir/init.zygote32.rc
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
class main
priority -20
user root
group root readproc
socket zygote stream 660 root system
onrestart write /sys/android_power/request_state wake
onrestart write /sys/power/state on
onrestart restart audioserver
onrestart restart cameraserver
onrestart restart media
onrestart restart netd
onrestart restart wificond
writepid /dev/cpuset/foreground/tasks
第一行,创建一个名叫 zygote 的进程,这个进程的可执行程序路径是
/system/bin/app_process
,-Xzygote /system/bin --zygote --start-system-server是要传入到app_process程序中的参数。socket zygote stream 660 root system
,这一句是启动一个名叫zygote的socket,ActivityManagerService进程和Zygote进程通信就是通过这个socket,主要作用是AMS请求Zygote进程fork出一个新的应用程序进程,后面分析应用启动流程会详细介绍。
扩展一下,xposed的原理就是通过替换了app_process,实现对Zygote进程的控制。
1.1 Zygote进程启动之后做了什么事?
Zygote的可执行程序路径在/system/bin/app_process
,
root手机之后可以通过RE管理器查看,
对应代码在
/frameworks/base/cmds/app_process/app_main.cpp
int main(int argc, char* const argv[])
{
AppRuntime runtime(argv[0], computeArgBlockSize(argc, argv));
...
if (zygote) {
//这里会去调用ZygoteInit 的main方法
runtime.start("com.android.internal.os.ZygoteInit", args, zygote);
} else if (className) {
runtime.start("com.android.internal.os.RuntimeInit", args, zygote);
} else {
fprintf(stderr, "Error: no class name or --zygote supplied.\n");
app_usage();
LOG_ALWAYS_FATAL("app_process: no class name or --zygote supplied.");
}
}
runtime指的就是AppRuntime,AppRuntime继承自AndroidRuntime,
class AppRuntime : public AndroidRuntime
{...
也就是我们调用start函数其实是调用AndroidRuntime的start函数:
先看AndroidRuntime,源码在/frameworks/base/core/jni/AndroidRuntime.cpp
1.2 AndroidRuntime
void AndroidRuntime::start(const char* className, const Vector<String8>& options, bool zygote)
{
/* start the virtual machine */
JniInvocation jni_invocation;
jni_invocation.Init(NULL);
JNIEnv* env;
//1
if (startVm(&mJavaVM, &env, zygote) != 0) {
return;
}
onVmCreated(env);
//2
/*
* Register android functions.
*/
if (startReg(env) < 0) {
ALOGE("Unable to register all android natives\n");
return;
}
...
//3 这里的startClass 是 com.android.internal.os.ZygoteInit
jmethodID startMeth = env->GetStaticMethodID(startClass, "main",
"([Ljava/lang/String;)V");
if (startMeth == NULL) {
ALOGE("JavaVM unable to find main() in '%s'\n", className);
/* keep going */
} else {
env->CallStaticVoidMethod(startClass, startMeth, strArray);
}
start主要做三件事:
1. 调用startVm(), 启动Java虚拟机
2. 调用startReg() ,注册JNI函数
3. 调用 env->CallStaticVoidMethod(startClass, startMeth, strArray);通过JNI调用Java的 ZygoteInit 类的main方法。
看下 ZygoteInit.java
的main方法
1.3 ZygoteInit#mian
/frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
public static void main(String argv[]) {
ZygoteServer zygoteServer = new ZygoteServer();
...
//1.创建socket
zygoteServer.registerServerSocket(socketName);
// In some configurations, we avoid preloading resources and classes eagerly.
// In such cases, we will preload things prior to our first fork.
if (!enableLazyPreload) {
// 2.预加载资源
preload(bootTimingsTraceLog);
} else {
Zygote.resetNicePriority();
}
// Do an initial gc to clean up after startup
gcAndFinalize();
// Zygote process unmounts root storage spaces.
Zygote.nativeUnmountStorageOnInit();
//3. startSystemServer
if (startSystemServer) {
startSystemServer(abiList, socketName, zygoteServer);
}
Log.i(TAG, "Accepting command socket connections");
//4、启动loop循环
zygoteServer.runSelectLoop(abiList);
zygoteServer.closeServerSocket();
}
}
主要关注以下几点:
1. 创建服务端socket。(socket需要客户端和服务端,这个可以理解)
2. preload 预加载资源(常用的类、主题资源、共享库等)
3. startSystemServer 启动系统服务,重点
4. zygoteServer.runSelectLoop(abiList);
开启无限循环等待AMS发送通知去fork一个新的应用进程
第1、2点很好理解,
第3点的 startSystemServer 先看一下
1.3.1 startSystemServer
private static boolean startSystemServer(String abiList, String socketName, ZygoteServer zygoteServer)
throws Zygote.MethodAndArgsCaller, RuntimeException {
int pid;
String args[] = {
"--setuid=1000",
"--setgid=1000",
"--setgroups=1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1018,1021,1023,1032,3001,3002,3003,3006,3007,3009,3010",
"--capabilities=" + capabilities + "," + capabilities,
"--nice-name=system_server",
"--runtime-args",
"com.android.server.SystemServer", // 注意这里类名,
};
ZygoteConnection.Arguments parsedArgs = null;
try {
parsedArgs = new ZygoteConnection.Arguments(args);
ZygoteConnection.applyDebuggerSystemProperty(parsedArgs);
ZygoteConnection.applyInvokeWithSystemProperty(parsedArgs);
//1 fork进程
/* Request to fork the system server process */
pid = Zygote.forkSystemServer(
parsedArgs.uid, parsedArgs.gid,
parsedArgs.gids,
parsedArgs.debugFlags,
null,
parsedArgs.permittedCapabilities,
parsedArgs.effectiveCapabilities);
} catch (IllegalArgumentException ex) {
throw new RuntimeException(ex);
}
/* For child process */
if (pid == 0) {
if (hasSecondZygote(abiList)) {
waitForSecondaryZygote(socketName);
}
//2. socket也复制过来了,先关掉
zygoteServer.closeServerSocket();
handleSystemServerProcess(parsedArgs);
}
}
通过Zygote.forkSystemServer
创建了 SystemServer,
这也就验证了 SystemServer 是由 Zygote 负责启动的。
fork一个子进程,pid返回0,最后一句调用 handleSystemServerProcess
1.3.2 handleSystemServerProcess
private static void handleSystemServerProcess(ZygoteConnection.Arguments parsedArgs)
throws Zygote.MethodAndArgsCaller {
...
if (parsedArgs.invokeWith != null) {
...
} else {
ClassLoader cl = null;
if (systemServerClasspath != null) {
cl = createPathClassLoader(systemServerClasspath, parsedArgs.targetSdkVersion);
Thread.currentThread().setContextClassLoader(cl);
}
//1.重点
/*
* Pass the remaining arguments to SystemServer.
*/
ZygoteInit.zygoteInit(parsedArgs.targetSdkVersion, parsedArgs.remainingArgs, cl);
}
/* should never reach here */
}
最关键的就是最后一句ZygoteInit.zygoteInit(parsedArgs.targetSdkVersion, parsedArgs.remainingArgs, cl)
1.3.3 ZygoteInit.zygoteInit
public static final void zygoteInit(int targetSdkVersion, String[] argv,
ClassLoader classLoader) throws Zygote.MethodAndArgsCaller {
if (RuntimeInit.DEBUG) {
Slog.d(RuntimeInit.TAG, "RuntimeInit: Starting application from zygote");
}
Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "ZygoteInit");
//将 System.out 和 System.err 定向到Android日志中
RuntimeInit.redirectLogStreams();
RuntimeInit.commonInit();
ZygoteInit.nativeZygoteInit();
RuntimeInit.applicationInit(targetSdkVersion, argv, classLoader);
}
- 将 System.out 和 System.err 定向到Android日志中
- 调用 commonInit(),进行基本的初始化
- 调用nativeZygoteInit(),这个native方法去初始化一个Binder用来做进程间通信,下面会分析
- 在 RuntimeInit.applicationInit(targetSdkVersion, argv, classLoader);中调用 invokeStaticMain(args.startClass, args.startArgs, classLoader);这个方法会调用SystemServer这个类的main方法
重点看3和4
下面我们先看看nativeZygoteInit()
方法中做了什么
1.3.4 ZygoteInit #nativeZygoteInit
它对应的实现在
/frameworks/base/core/jni/AndroidRuntime.cpp
static AndroidRuntime* gCurRuntime = NULL;
static void com_android_internal_os_ZygoteInit_nativeZygoteInit(JNIEnv* env, jobject clazz)
{
gCurRuntime->onZygoteInit();
}
gCurRuntime其实就是AndroidRuntime本身,然后再去找onZygoteInit()
方法,但是我们在AndroidRuntime.cpp文件中没有找到,最后发现AndroidRuntime的子类AppRuntime实现了onZygoteInit()方法。
AppRuntime继承了AndroidRuntime,所以定位到AppRuntime中,源码在/frameworks/base/cmds/app_process/app_main.cpp
virtual void onZygoteInit()
{
sp<ProcessState> proc = ProcessState::self();
ALOGV("App process: starting thread pool.\n");
proc->startThreadPool();
}
调用了ProcessState的startThreadPool()方法,ProcessState类位于
/frameworks/native/libs/binder/ProcessState.cpp
void ProcessState::startThreadPool()
{
AutoMutex _l(mLock);
if (!mThreadPoolStarted) {
mThreadPoolStarted = true;
spawnPooledThread(true);
}
}
这个方法主要是启动一个线程池,该线程池中的线程主要是负责和binder驱动程序进行交互的,ProcessState是Binder进程间通信的一个基础组件,这里我们就不深究了,我们只需要知道nativeZygoteInit()方法初始化了一个线程池用于Binder进程之间的通信,这个方法执行完后,Binder进程间通信基础就准备好了
回到1.3.3 的第四点继续看,RuntimeInit.applicationInit(...)
1.3.5 RuntimeInit.applicationInit
/frameworks/base/core/java/com/android/internal/os/RuntimeInit.java
protected static void applicationInit(int targetSdkVersion, String[] argv, ClassLoader classLoader)
throws Zygote.MethodAndArgsCaller {
VMRuntime.getRuntime().setTargetHeapUtilization(0.75f);
VMRuntime.getRuntime().setTargetSdkVersion(targetSdkVersion);
...
invokeStaticMain(args.startClass, args.startArgs, classLoader);
}
private static void invokeStaticMain(String className, String[] argv, ClassLoader classLoader)
throws Zygote.MethodAndArgsCaller {
Class<?> cl;
try {
cl = Class.forName(className, true, classLoader);
}
Method m;
try {
//1 调用main 方法
m = cl.getMethod("main", new Class[] { String[].class });
}
...
}
最终会通过JNI调用 SystemServer
的main
方法,怎么知道className是SystemServer
?
可以回去看1.3.1 startSystemServer, 里面有个参数args 会传过来。
继续看SystemServer 的main方法干了啥~
/frameworks/base/services/java/com/android/server/SystemServer.java
public static void main(String[] args) {
new SystemServer().run();
}
private void run() {
System.loadLibrary("android_servers");
// Start services.
try {
traceBeginAndSlog("StartServices");
startBootstrapServices(); //1
startCoreServices(); //2
startOtherServices(); //3
SystemServerInitThreadPool.shutdown();
}
// Loop forever.
Looper.loop();
}
- startBootstrapServices(); 启动引导服务,太多了,列举几个吧
DeviceIdentifiersPolicyService
PowerManagerService
LightsService
DisplayManagerService
PackageManagerService
UserManagerService
...
- startCoreServices(); 启动核心服务,不明白具体是什么服务就看下源码注释
DropBoxManagerService
DropBoxManagerService
BatteryService
UsageStatsService
WebViewUpdateService
- startOtherServices(); 其它服务有几十个,列举几个常见的
NetworkManagementService
NetworkStatsService
WindowManagerService
InputManagerService
...
各种服务启动之后,什么时候启动桌面App呢?
2、 Launcher 的启动
SystemServer启动流程上面已经分析完了,那接下来应该是Launcher启动了,Launcher 在哪里启动的呢,寻寻觅觅之后发现是在 startOtherServices里,下面具体看一下
startOtherServices 里面有个重点服务要看一下
private void startOtherServices() {
...
mActivityManagerService.systemReady(() -> {
traceBeginAndSlog("StartActivityManagerReadyPhase");
mSystemServiceManager.startBootPhase(
SystemService.PHASE_ACTIVITY_MANAGER_READY);
...
}
}
ActivityManagerService#systemReady
在startOtherServices函数中,会调用ActivityManagerService的systemReady函数:
/frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java
public void systemReady(final Runnable goingCallback) {
...
synchronized (this) {
...
mStackSupervisor.resumeFocusedStackTopActivityLocked();
mUserController.sendUserSwitchBroadcastsLocked(-1, currentUserId);
}
}
systemReady函数中调用了ActivityStackSupervisor的resumeFocusedStackTopActivityLocked函数:
/frameworks/base/services/core/java/com/android/server/am/ActivityStackSupervisor.java
boolean resumeFocusedStackTopActivityLocked() {
return resumeFocusedStackTopActivityLocked(null, null, null);
}
boolean resumeFocusedStackTopActivityLocked(
ActivityStack targetStack, ActivityRecord target, ActivityOptions targetOptions) {
if (targetStack != null && isFocusedStack(targetStack)) {
//1
return targetStack.resumeTopActivityUncheckedLocked(target, targetOptions);
}
final ActivityRecord r = mFocusedStack.topRunningActivityLocked();
if (r == null || r.state != RESUMED) {
mFocusedStack.resumeTopActivityUncheckedLocked(null, null);
} else if (r.state == RESUMED) {
// Kick off any lingering app transitions form the MoveTaskToFront operation.
mFocusedStack.executeAppTransition(targetOptions);
}
return false;
}
在注释1处会调用ActivityStack的resumeTopActivityUncheckedLocked函数,ActivityStack对象是用来描述Activity堆栈的,resumeTopActivityUncheckedLocked函数如下所示。
/frameworks/base/services/core/java/com/android/server/am/ActivityStack.java
boolean resumeTopActivityUncheckedLocked(ActivityRecord prev, ActivityOptions options) {
if (mStackSupervisor.inResumeTopActivity) {
// Don't even start recursing.
return false;
}
boolean result = false;
try {
// Protect against recursion.
mStackSupervisor.inResumeTopActivity = true;
//1
result = resumeTopActivityInnerLocked(prev, options);
} finally {
mStackSupervisor.inResumeTopActivity = false;
}
// When resuming the top activity, it may be necessary to pause the top activity (for
// example, returning to the lock screen. We suppress the normal pause logic in
// {@link #resumeTopActivityUncheckedLocked}, since the top activity is resumed at the end.
// We call the {@link ActivityStackSupervisor#checkReadyForSleepLocked} again here to ensure
// any necessary pause logic occurs.
mStackSupervisor.checkReadyForSleepLocked();
return result;
}
看注释1,调用了resumeTopActivityInnerLocked函数:
private boolean resumeTopActivityInnerLocked(ActivityRecord prev, ActivityOptions options) {
...
return isOnHomeDisplay() &&
mStackSupervisor.resumeHomeStackTask(returnTaskType, prev, "prevFinished");
...
}
resumeTopActivityInnerLocked函数的代码很长,我们截取我们要分析的关键的一句:调用ActivityStackSupervisor的resumeHomeStackTask函数,代码如下所示。
/frameworks/base/services/core/java/com/android/server/am/ActivityStackSupervisor.java
boolean resumeHomeStackTask(int homeStackTaskType, ActivityRecord prev, String reason) {
...
if (r != null && !r.finishing) {
mService.setFocusedActivityLocked(r, myReason);
return resumeFocusedStackTopActivityLocked(mHomeStack, prev, null);
}
return mService.startHomeActivityLocked(mCurrentUser, myReason);//1
}
最终调用了ActivityManagerService的startHomeActivityLocked函数,如下所示。
/frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java
boolean startHomeActivityLocked(int userId, String reason) {
if (mFactoryTest == FactoryTest.FACTORY_TEST_LOW_LEVEL
&& mTopAction == null) {
// We are running in factory test mode, but unable to find
// the factory test app, so just sit around displaying the
// error message and don't try to start anything.
return false;
}
//1 getHomeIntent
Intent intent = getHomeIntent();
ActivityInfo aInfo = resolveActivityInfo(intent, STOCK_PM_FLAGS, userId);
if (aInfo != null) {
intent.setComponent(new ComponentName(aInfo.applicationInfo.packageName, aInfo.name));
// Don't do this if the home app is currently being
// instrumented.
aInfo = new ActivityInfo(aInfo);
aInfo.applicationInfo = getAppInfoForUser(aInfo.applicationInfo, userId);
ProcessRecord app = getProcessRecordLocked(aInfo.processName,
aInfo.applicationInfo.uid, true);
if (app == null || app.instr == null) {
intent.setFlags(intent.getFlags() | Intent.FLAG_ACTIVITY_NEW_TASK);
final int resolvedUserId = UserHandle.getUserId(aInfo.applicationInfo.uid);
// For ANR debugging to verify if the user activity is the one that actually
// launched.
final String myReason = reason + ":" + userId + ":" + resolvedUserId;
mActivityStarter.startHomeActivityLocked(intent, aInfo, myReason);
}
} else {
Slog.wtf(TAG, "No home screen found for " + intent, new Throwable());
}
return true;
}
getHomeIntent 看下
Intent getHomeIntent() {
Intent intent = new Intent(mTopAction, mTopData != null ? Uri.parse(mTopData) : null);
intent.setComponent(mTopComponent);
intent.addFlags(Intent.FLAG_DEBUG_TRIAGED_MISSING);
if (mFactoryTest != FactoryTest.FACTORY_TEST_LOW_LEVEL) {
intent.addCategory(Intent.CATEGORY_HOME);
}
return intent;
}
通过Intent 启动了Launcher App,
也就是AMS的systemReady 函数做的事就是通过Intent 启动了桌面app
三、总结
Android系统的启动流程基本分析完了,画一张简陋的图总结一下。
一般面试问到Android系统启动流程,可以根据这个流程图,说一下Zygote、SystemServer、Launcher的启动流程大概是怎么样的。
如果你没有了解Android系统启动流程,面试刚好问到这个问题,你回答说不会,那么即使你后面问题都回答的很好,最终得到的评价也就是中级偏上。
todo:
1.3 ZygoteInit 的最后一个 zygoteServer.runSelectLoop(abiList);
方法开启一个无限循环,等待ActivityManagerService来连接这个socket然后调用ZygoteConnection.runOnce函数来创建新的应用程序进程,后面分析应用启动流程的时候再说。
Launcher启动参考:
https://www.jianshu.com/p/33152a7bec26
大家最好找个时间自己动手去实践一下,源码分析类的文章,从头看到尾,不去实践,很快就忘掉了,不会有太大的收获。