Android FrameWork - 开机启动 SystemS

相关文章链接：

1. Android FrameWork - 学习启动篇
2. Android FrameWork - 开机启动 Zygote 进程
3. Android FrameWork - 开机启动 SystemServer 进程

相关源码文件：

/frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
/frameworks/base/core/java/com/android/internal/os/Zygote.java
/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
/frameworks/base/core/java/com/android/internal/os/RuntimeInit.java
/frameworks/base/services/java/com/android/server/SystemServer.java
/frameworks/base/core/java/android/os/ServiceManager.java
/frameworks/base/core/java/android/os/ServiceManagerNative.java
/frameworks/base/core/java/com/android/internal/os/BinderInternal.java

Zygote 进程 的启动过程中会调用 startSystemServer 方法来启动 SystemServer 进程：

private static boolean startSystemServer(String abiList, String socketName) throws MethodAndArgsCaller, RuntimeException {
    ...
    // 设置一些参数 
    String args[] = {
        "--setuid=1000",
        "--setgid=1000",
        "--setgroups=1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1018,1021,1032,3001,3002,3003,3006,3007",
        "--capabilities=" + capabilities + "," + capabilities,
        "--nice-name=system_server",
        "--runtime-args",
        "com.android.server.SystemServer",
    };

    ZygoteConnection.Arguments parsedArgs = null;
    int pid;
    try {
        ...
        // fork 创建 system_server 进程，后面会具体分析
        pid = Zygote.forkSystemServer(
                parsedArgs.uid, parsedArgs.gid,
                parsedArgs.gids,
                parsedArgs.debugFlags,
                null,
                parsedArgs.permittedCapabilities,
                parsedArgs.effectiveCapabilities);
    } catch (IllegalArgumentException ex) {
        throw new RuntimeException(ex);
    }

    //  pid == 0 代表子进程，也就是 system_server 进程
    if (pid == 0) {
        // 执行初始化 system_server 进程
        handleSystemServerProcess(parsedArgs);
    }
    return true;
}

1. 启动 SystemServer

public static int forkSystemServer(int uid, int gid, int[] gids, int debugFlags,
  int[][] rlimits, long permittedCapabilities, long effectiveCapabilities) {
    VM_HOOKS.preFork();
    int pid = nativeForkSystemServer(uid, gid, gids, debugFlags, rlimits, permittedCapabilities, effectiveCapabilities);
    // Enable tracing as soon as we enter the system_server.
    if (pid == 0) {
      Trace.setTracingEnabled(true);
    }
    VM_HOOKS.postForkCommon();
    return pid;
}

// 调用的 native 方法去创建的，nativeForkSystemServer() 方法在 AndroidRuntime.cpp 中注册的，调用 com_android_internal_os_Zygote.cpp 中的 com_android_internal_os_Zygote_nativeForkSystemServer() 方法
native private static int nativeForkSystemServer(int uid, int gid, int[] gids, int debugFlags,int[][] rlimits, long permittedCapabilities, long effectiveCapabilities);


static jint com_android_internal_os_Zygote_nativeForkSystemServer(
  JNIEnv* env, jclass, uid_t uid, gid_t gid, jintArray gids,
  jint debug_flags, jobjectArray rlimits, jlong permittedCapabilities,
  jlong effectiveCapabilities) {
  // fork 创建 systemserver 进程
  pid_t pid = ForkAndSpecializeCommon(env, uid, gid, gids,
    debug_flags, rlimits, permittedCapabilities, effectiveCapabilities,
    MOUNT_EXTERNAL_DEFAULT, NULL, NULL, true, NULL,NULL, NULL);
  // pid > 0 是父进程执行的逻辑
  if (pid > 0) {
      // waitpid 等待 SystemServer 进程的退出，如果退出了重启 zygote 进程
      if (waitpid(pid, &status, WNOHANG) == pid) {
          RuntimeAbort(env);
      }
  }
  return pid;
}

static pid_t ForkAndSpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArray javaGids, jint debug_flags, jobjectArray javaRlimits, jlong permittedCapabilities, jlong effectiveCapabilities, jint mount_external, jstring java_se_info, jstring java_se_name, bool is_system_server, jintArray fdsToClose, jstring instructionSet, jstring dataDir) {
  //设置子进程的 signal 信号处理函数
  SetSigChldHandler(); 
  // fork 子进程(SystemServer)
  pid_t pid = fork();
  if (pid == 0) {
    // 进入子进程
    ...
    // gZygoteClass = com/android/internal/os/Zygote
    // gCallPostForkChildHooks = GetStaticMethodIDOrDie(env, gZygoteClass, "callPostForkChildHooks", "(ILjava/lang/String;)V");
    // 等价于调用 Zygote.callPostForkChildHooks()
    env->CallStaticVoidMethod(gZygoteClass, gCallPostForkChildHooks, debug_flags,is_system_server ? NULL : instructionSet);
    ...
  } else if (pid > 0) {
    // the parent process
  }
  return pid;
}

private static void handleSystemServerProcess( ZygoteConnection.Arguments parsedArgs) throws ZygoteInit.MethodAndArgsCaller {
  ...
  if (parsedArgs.invokeWith != null) {
    ...
  } else {
    ClassLoader cl = null;
    if (systemServerClasspath != null) {
      // 创建类加载器，并赋予当前线程
      cl = new PathClassLoader(systemServerClasspath, ClassLoader.getSystemClassLoader());
      Thread.currentThread().setContextClassLoader(cl);
    }
    // RuntimeInit.zygoteInit
    RuntimeInit.zygoteInit(parsedArgs.targetSdkVersion, parsedArgs.remainingArgs, cl);
  }
}

public static final void zygoteInit(int targetSdkVersion, String[] argv, ClassLoader classLoader) throws ZygoteInit.MethodAndArgsCaller {
  ...
  // 通用的一些初始化
  commonInit();
  // 这个方法是 native 方法，主要是打开 binder 驱动，启动 binder 线程，后面分析 binder 驱动的时候再详解。
  nativeZygoteInit(); 
  // 应用初始化
  applicationInit(targetSdkVersion, argv, classLoader); 
}

private static void applicationInit(int targetSdkVersion, String[] argv, ClassLoader classLoader) throws ZygoteInit.MethodAndArgsCaller {
  ...  
  final Arguments args;
  try {
    // 解析参数 Arguments
    args = new Arguments(argv); 
  } catch (IllegalArgumentException ex) {
    return;
  }
  ...
  invokeStaticMain(args.startClass, args.startArgs, classLoader);
}

private static void invokeStaticMain(String className, String[] argv, ClassLoader classLoader) throws ZygoteInit.MethodAndArgsCaller {
  Class<?> cl = Class.forName(className, true, classLoader);
  ...

  Method m;
  try {
    m = cl.getMethod("main", new Class[] { String[].class });
  } catch (NoSuchMethodException ex) {
    ...
  } catch (SecurityException ex) {
    ...
  }
  ...
  // 通过抛出异常，回到了 ZygoteInit.main() 
  // try{} catch (MethodAndArgsCaller caller) {caller.run();}
  throw new ZygoteInit.MethodAndArgsCaller(m, argv);
}

绕了一大圈我们发现是通过抛异常回到了 ZygoteInit.main() 方法中的 try...catch(){ MethodAndArgsCaller.run() }

2. 创建 SystemServer

public static class MethodAndArgsCaller extends Exception implements Runnable {
  ...
  public void run() {
    try {
      // 根据传递过来的参数可知，此处通过反射机制调用的是 SystemServer.main() 方法
      mMethod.invoke(null, new Object[] { mArgs });
    } catch (IllegalAccessException ex) {
      ...
    }
}

public final class SystemServer {
  ...
  public static void main(String[] args) {
    new SystemServer().run();
  }

  private void run() {
    // 主线程 looper
    Looper.prepareMainLooper();

    // 初始化系统上下文
    createSystemContext();

    // 创建系统服务管理
    mSystemServiceManager = new SystemServiceManager(mSystemContext);
    // 将 mSystemServiceManager 添加到本地服务的成员 sLocalServiceObjects，sLocalServiceObjects 里面是一个静态的 map 集合
    LocalServices.addService(SystemServiceManager.class, mSystemServiceManager);

    //启动各种系统服务
    try {
      // 启动引导服务 
      startBootstrapServices(); 
      // 启动核心服务 
      startCoreServices();
      // 启动其他服务
      startOtherServices();     
    } catch (Throwable ex) {
      Slog.e("System", "************ Failure starting system services", ex);
      throw ex;
    }

    // 一直循环执行
    Looper.loop();
    throw new RuntimeException("Main thread loop unexpectedly exited");
  }

  private void createSystemContext() {
    // 创建系统进程的上下文信息，这个在进程启动再详解
    ActivityThread activityThread = ActivityThread.systemMain();
    mSystemContext = activityThread.getSystemContext();
    ...
  }

  private void startBootstrapServices() {
    // 阻塞等待与 installd 建立 socket 通道
    Installer installer = mSystemServiceManager.startService(Installer.class);

    // 启动服务 ActivityManagerService
    mActivityManagerService = mSystemServiceManager.startService(ActivityManagerService.Lifecycle.class).getService();
    mActivityManagerService.setSystemServiceManager(mSystemServiceManager);

    // 启动服务 PackageManagerService
    mPackageManagerService = PackageManagerService.main(mSystemContext, installer, mFactoryTestMode != FactoryTest.FACTORY_TEST_OFF, mOnlyCore);
    mPackageManager = mSystemContext.getPackageManager();

    // 设置 AMS , 把自己交给 ServiceManager. addService 去管理
    mActivityManagerService.setSystemProcess();

    ...
  }

  private void startCoreServices() {
      ...
  }

  private void startOtherServices() {
    // 启动闹钟服务
    mSystemServiceManager.startService(AlarmManagerService.class); 
    // 初始化 Watchdog
    final Watchdog watchdog = Watchdog.getInstance();
    watchdog.init(context, mActivityManagerService); 
    // 输入管理的 service
    inputManager = new InputManagerService(context);
    // WindowManagerService
    wm = WindowManagerService.main(...); 
    // InputManagerService 和 WindowManagerService 都交给 ServiceManager 管理
    ServiceManager.addService(Context.WINDOW_SERVICE, wm);
    ServiceManager.addService(Context.INPUT_SERVICE, inputManager);
    // 启动input
    inputManager.start(); 
    // 显示启动界面
    ActivityManagerNative.getDefault().showBootMessage(...); 
    // 状态栏管理
    statusBar = new StatusBarManagerService(context, wm); 
    // JobSchedulerService
    mSystemServiceManager.startService(JobSchedulerService.class); 
    ...
    // 准备好了 wms,  pms, ams 服务
    wm.systemReady();
    mPackageManagerService.systemReady();
    mActivityManagerService.systemReady();
  }

  ...
}

在 Android 系统中大约有 80 个系统服务，都是由 SystemServer 进程来创建的。作为一个应用开发者来说，需要特别熟悉的大概有这么四个：ActivityManagerService、WindowManagerService、PackageManagerService 和 InputManagerService，也就是我们常说的 ams、wms、pms 和 ims。

3. 管理 SystemServer

系统服务启动后都会交给 ServiceManager 来管理，无论是 mSystemServiceManager.startService 还是 ServiceManager.addService 都是走的 ServiceManager.addService() 方法：

public static void addService(String name, IBinder service) {
  try {
    getIServiceManager().addService(name, service, false);
  } catch (RemoteException e) {
    Log.e(TAG, "error in addService", e);
  }
}

private static IServiceManager getIServiceManager() {
  if (sServiceManager != null) {
    return sServiceManager;
  }
  sServiceManager = ServiceManagerNative.asInterface(BinderInternal.getContextObject());
  return sServiceManager;
}

public abstract class ServiceManagerNative extends Binder implements IServiceManager {
  static public IServiceManager asInterface(IBinder obj)  {
    if (obj == null) {
      return null;
    }
    IServiceManager in =(IServiceManager)obj.queryLocalInterface(descriptor);
    if (in != null) {
      return in;
    }
    // 创建 ServiceManagerProxy 对象 
    return new ServiceManagerProxy(obj);
  }
}

class ServiceManagerProxy implements IServiceManager {
    private IBinder mRemote;
    
    public ServiceManagerProxy(IBinder remote) {
        mRemote = remote;
    }
    ...
    // IPC binder 驱动
    public void addService(String name, IBinder service, boolean allowIsolated)
           throws RemoteException {
      Parcel data = Parcel.obtain();
      Parcel reply = Parcel.obtain();
      data.writeInterfaceToken(IServiceManager.descriptor);
      data.writeString(name);
      data.writeStrongBinder(service);
      data.writeInt(allowIsolated ? 1 : 0);
      // mRemote 是 IBinder 对象
      mRemote.transact(ADD_SERVICE_TRANSACTION, data, reply, 0);
      reply.recycle();
      data.recycle();
    }
}

最后我们再来总结一下：SystemServer 进程是由 Zygote 进程 fork 创建的，SystemServer 进程创建后会创建启动引导服务、核心服务和其他服务，并且将所创建的服务，通过跨进程通信交给 ServiceManager 进程来管理。至于怎么启动 ServiceManager 和 Binder 驱动跨进程通信，我们到后面的文章再去详细分析，同时 Binder 驱动也是 FrameWork 源码分析中最难的一个部分，希望我们能有所准备。

视频地址：https://pan.baidu.com/s/1j_wgzITcgABVbThvO0VBPA
视频密码：jj4b