Zygote被称为孵化器,因为在Android中DVM、ART、应用程序进程以及系统服务进程(SystemServer)都是有它来创建的,而且是通过是通过fork的形式来创建应用程序进程和SystemServer,所以这些进程的内部会获取一个DVM或者ART的实例副本。下面我们重点看一下它的启动过程。
Zygote启动时主要调用app_main.cpp的main函数中的AndroidRuntime的start方法来启动Zygote进程。 其中app_main中的Runtime的start方法如下
runtime.start("com.android.internal.os.ZygoteInit",args,zygote)
接着看AndroidRuntime.cpp(frameworks/base/core/jni/AndroidRuntime.cpp)中的这个方法
void AndroidRuntime::start(const char*className,const Vector<String8>&options, bool zygote) {
...
JniInvocation jni_invocation;
//加载DVM或ART
jni_invocation.Init(NULL);
JNIEnv * env;
//启动Java虚拟机
if (startVm( & mJavaVM,&env, zygote)!=0){
return;
}
onVmCreated(env);
/*
* 为Java虚拟机注册JNI方法.
*/
if (startReg(env) < 0) {
ALOGE("Unable to register all android natives\n");
return;
}
...
//传入的className为com.android.internal.os.ZygoteInit
classNameStr = env -> NewStringUTF(className);
...
//将路径中的.替换为/
char*slashClassName = toSlashClassName(className);
//找到ZygoteInit
jclass startClass = env -> FindClass(slashClassName);
if (startClass == NULL) {
ALOGE("JavaVM unable to locate class '%s'\n", slashClassName);
/* keep going */
} else {
//找到ZygoteInit的main方法
jmethodID startMeth = env -> GetStaticMethodID(startClass, "main",
"([Ljava/lang/String;)V");
if (startMeth == NULL) {
ALOGE("JavaVM unable to find main() in '%s'\n", className);
/* keep going */
} else {
//通过JNI调用ZygoteInit的main方法
env -> CallStaticVoidMethod(startClass, startMeth, strArray);
#if 0
if (env -> ExceptionCheck())
threadExitUncaughtException(env);
#endif
}
}
...
}
其中这个方法中主要做了这么几件事,1启动Java虚拟机,2为Java虚拟机注册JNI方法处理传过来的className并找到该类(ZygoteInit),找到该类中的main方法并通过jni调用,至此Zygote就从Native层进入了Java层。具体看一下main方法中做了什么
public static void main(String argv[]) {
ZygoteServer zygoteServer = new ZygoteServer();
...
// 注册一个服务端的Socket.
zygoteServer.registerServerSocketFromEnv(socketName);
// In some configurations, we avoid preloading resources and classes eagerly.
// In such cases, we will preload things prior to our first fork.
if (!enableLazyPreload) {
bootTimingsTraceLog.traceBegin("ZygotePreload");
EventLog.writeEvent(LOG_BOOT_PROGRESS_PRELOAD_START,
SystemClock.uptimeMillis());
// 预加载类和资源
preload(bootTimingsTraceLog);
EventLog.writeEvent(LOG_BOOT_PROGRESS_PRELOAD_END,
SystemClock.uptimeMillis());
bootTimingsTraceLog.traceEnd(); // ZygotePreload
} else {
Zygote.resetNicePriority();
}
// Do an initial gc to clean up after startup
bootTimingsTraceLog.traceBegin("PostZygoteInitGC");
gcAndFinalize();
bootTimingsTraceLog.traceEnd(); // PostZygoteInitGC
bootTimingsTraceLog.traceEnd(); // ZygoteInit
// Disable tracing so that forked processes do not inherit stale tracing tags from
// Zygote.
Trace.setTracingEnabled(false, 0);
Zygote.nativeSecurityInit();
// Zygote process unmounts root storage spaces.
Zygote.nativeUnmountStorageOnInit();
ZygoteHooks.stopZygoteNoThreadCreation();
if (startSystemServer) {
// 启动SystemServer
Runnable r = forkSystemServer(abiList, socketName, zygoteServer);
// {@code r == null} in the parent (zygote) process, and {@code r != null} in the
// child (system_server) process.
if (r != null) {
r.run();
return;
}
}
Log.i(TAG, "Accepting command socket connections");
// l等待AMS请求.
caller = zygoteServer.runSelectLoop(abiList);
} catch (Throwable ex) {
Log.e(TAG, "System zygote died with exception", ex);
throw ex;
} finally {
zygoteServer.closeServerSocket();
}
...
}
这里的ZygoteServer提供了等待UNIX系统的socket功能,并且派生继承VM初始状态的子进程。在启动Zygote的时候传递的参数有(service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-system-server class main,其中service是init.rc中的AndroidInitLanguage中的Service类型语句,后面的“..64”则是执行程序路径,在后面的则是参数),可以看到传递的参数有“zygote”和“start-system_server”,所以会执行preload以及forkSystemServer。整个main方法其实就做了四件事创建一个serverSocket,预加载类和资源,启动SystemServer,等待AMS请求创建新的应用程序进程。这里重点看一下启动SystemServer。
forkSystemServer(ZygoteInit.java)
private static Runnable forkSystemServer(String abiList, String socketName,
ZygoteServer zygoteServer) {
...
/* Hardcoded command line to start the system server */
String args[] = {
"--setuid=1000",
"--setgid=1000",
"--setgroups=1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1018,1021,1023,1024,1032,1065,3001,3002,3003,3006,3007,3009,3010",
"--capabilities=" + capabilities + "," + capabilities,
"--nice-name=system_server",
"--runtime-args",
"--target-sdk-version=" + VMRuntime.SDK_VERSION_CUR_DEVELOPMENT,
"com.android.server.SystemServer",
};
ZygoteConnection.Arguments parsedArgs = null;
int pid;
try {
parsedArgs = new ZygoteConnection.Arguments(args);
ZygoteConnection.applyDebuggerSystemProperty(parsedArgs);
ZygoteConnection.applyInvokeWithSystemProperty(parsedArgs);
boolean profileSystemServer = SystemProperties.getBoolean(
"dalvik.vm.profilesystemserver", false);
if (profileSystemServer) {
parsedArgs.runtimeFlags |= Zygote.PROFILE_SYSTEM_SERVER;
}
/* Request to fork the system server process */
pid = Zygote.forkSystemServer(
parsedArgs.uid, parsedArgs.gid,
parsedArgs.gids,
parsedArgs.runtimeFlags,
null,
parsedArgs.permittedCapabilities,
parsedArgs.effectiveCapabilities);
} catch (IllegalArgumentException ex) {
throw new RuntimeException(ex);
}
/* For child process */
if (pid == 0) {
if (hasSecondZygote(abiList)) {
waitForSecondaryZygote(socketName);
}
zygoteServer.closeServerSocket();
return handleSystemServerProcess(parsedArgs);
}
return null;
}
这里首先构造了一些arg,主要用于fork子进程以及在子进程中运用这些参数,主要包括pid、uid等。然后利用 ZygoteConnection.Arguments来构造这些参数,而 ZygoteConnection.applyDebuggerSystemProperty(parsedArgs);则是如果系统可调式的话就添加args.runtimeFlags |= Zygote.DEBUG_ENABLE_JDWP属性ZygoteConnection.applyInvokeWithSystemProperty(parsedArgs)则是将args.invokeWith = null;重置为null。紧接着利用这些参数来创建一个子进程。成功后会返回0,进而执行handleSystemServerProcess(ZygoteInit.java)
private static Runnable handleSystemServerProcess(ZygoteConnection.Arguments parsedArgs) {
...
if (parsedArgs.invokeWith != null) {
...
} else {
ClassLoader cl = null;
if (systemServerClasspath != null) {
cl = createPathClassLoader(systemServerClasspath, parsedArgs.targetSdkVersion);
Thread.currentThread().setContextClassLoader(cl);
}
/*
* Pass the remaining arguments to SystemServer.
*/
return ZygoteInit.zygoteInit(parsedArgs.targetSdkVersion, parsedArgs.remainingArgs, cl);
}
/* should never reach here */
}
因为之前们的invokeWith属性为null,所以这里会执行else分支,重要的是创建了一个PathClassLoader,然后用这个调用zygoteInit(ZygoteInit.java)方法
public static final Runnable zygoteInit(int targetSdkVersion, String[] argv, ClassLoader classLoader) {
...
RuntimeInit.redirectLogStreams();
RuntimeInit.commonInit();
ZygoteInit.nativeZygoteInit();
return RuntimeInit.applicationInit(targetSdkVersion, argv, classLoader);
}
这里的nativeZygoteInit是用来启动Binder线程池的,而这个applicationInit则是进入SystemServer的main方法,这里是通过反射来调用方法的,所以需要classLoader等信息。我们直接看SystemServer中的这个main方法,他其实就是调用了该类的run方法
private void run() {
try {
...
//创建消息的looper.
Looper.prepareMainLooper();
Looper.getMainLooper().setSlowLogThresholdMs(
SLOW_DISPATCH_THRESHOLD_MS, SLOW_DELIVERY_THRESHOLD_MS);
//加载动态链接库libandroid_servers.so.
System.loadLibrary("android_servers");
// Check whether we failed to shut down last time we tried.
// This call may not return.
performPendingShutdown();
//初始化系统context.
createSystemContext();
// 创建SystemServiceManager
mSystemServiceManager = new SystemServiceManager(mSystemContext);
mSystemServiceManager.setStartInfo(mRuntimeRestart,
mRuntimeStartElapsedTime, mRuntimeStartUptime);
LocalServices.addService(SystemServiceManager.class, mSystemServiceManager);
// Prepare the thread pool for init tasks that can be parallelized
SystemServerInitThreadPool.get();
} finally {
traceEnd(); // InitBeforeStartServices
}
// Start services.
try {
traceBeginAndSlog("StartServices");
// 启动引导服务
startBootstrapServices();
// 启动核心服务.
startCoreServices();
//启动其他服务.
startOtherServices();
SystemServerInitThreadPool.shutdown();
} catch (Throwable ex) {
Slog.e("System", "******************************************");
Slog.e("System", "************ Failure starting system services", ex);
throw ex;
} finally {
traceEnd();
}
StrictMode.initVmDefaults(null);
if (!mRuntimeRestart && !isFirstBootOrUpgrade()) {
int uptimeMillis = (int) SystemClock.elapsedRealtime();
MetricsLogger.histogram(null, "boot_system_server_ready", uptimeMillis);
final int MAX_UPTIME_MILLIS = 60 * 1000;
if (uptimeMillis > MAX_UPTIME_MILLIS) {
Slog.wtf(SYSTEM_SERVER_TIMING_TAG,
"SystemServer init took too long. uptimeMillis=" + uptimeMillis);
}
}
// Loop forever.
Looper.loop();
throw new RuntimeException("Main thread loop unexpectedly exited");
}
主要是创建了SystemServiceManager,它会对系统服务进行创建、启动和生命周期管理。接下来就开始启动各种服务,比如引导服务(包括ActivityManagerService、PackageMangerService、PowerManagerService等),核心服务(BatteryService等)、其他服务(CameraService、AlarmManagerService、windowManagerService等),我们重点看一下这个引导服务,因为他启动了ActivityManagerService
private void startBootstrapServices() {
...
//首先会初始化安装,它可以创建一些重要的文件夹比如/data/user,等它完成之后才能初始化其他服务
...
Installer installer = mSystemServiceManager.startService(Installer.class);
...
//启动APP之后我们可能需要获取设备标识符,所以设备标识符策略服务会在ActivityManager之前创建
mSystemServiceManager.startService(DeviceIdentifiersPolicyService.class);
...
// 创建ActivityManagerService.
mActivityManagerService = mSystemServiceManager.startService(
ActivityManagerService.Lifecycle.class).getService();
mActivityManagerService.setSystemServiceManager(mSystemServiceManager);
mActivityManagerService.setInstaller(installer);
...
//PowerManagerService需要尽早的初始化,因为一些其他的服务依赖于它
mPowerManagerService = mSystemServiceManager.startService(PowerManagerService.class);
...
PMS启动之后,利用AMS初始化它的管理特性
mActivityManagerService.initPowerManagement();
...
//启动RecoverySystemService
traceBeginAndSlog("StartRecoverySystemService");
mSystemServiceManager.startService(RecoverySystemService.class);
...
// 启动lightService,管理LED和显示屏背光,因此我们需要它来启动显示屏。
mSystemServiceManager.startService(LightsService.class);
...
//程序包管理器启动之前,需要显示管理器提供显示服务。所以这里启动DisplayManagerService
mDisplayManagerService = mSystemServiceManager.startService(DisplayManagerService.class);
...
//启动PMS
mPackageManagerService = PackageManagerService.main(mSystemContext, installer,
mFactoryTestMode != FactoryTest.FACTORY_TEST_OFF, mOnlyCore);
mFirstBoot = mPackageManagerService.isFirstBoot();
mPackageManager = mSystemContext.getPackageManager();
...
}
这里我们重点看一下AMS的创建和启动 调用了SystemServiceManager中的startService方法
public <T extends SystemService> T startService(Class<T> serviceClass) {
try {
final String name = serviceClass.getName();
...
final T service;
try {
Constructor<T> constructor = serviceClass.getConstructor(Context.class);
service = constructor.newInstance(mContext);
} ...
startService(service);
return service;
} finally {
Trace.traceEnd(Trace.TRACE_TAG_SYSTEM_SERVER);
}
}
可以看到这里利用反射创建了一个service的实例,并且调用了SystemServiceManager中的startService方法
public void startService(@NonNull final SystemService service) {
// Register it.
mServices.add(service);
// Start it.
long time = SystemClock.elapsedRealtime();
try {
service.onStart();
} ...
}
这个startService方法其实就做了两件事,首先将当前的Service加入到mService这个数组中,这个数组保存了需要接收生命周期事件的SystemServer,其次则是调用当前service的onStart方法。而这个service其实就是我们传入的参数ActivityManagerService.Lifecycle.class
public static final class Lifecycle extends SystemService {
private final ActivityManagerService mService;
public Lifecycle(Context context) {
super(context);
mService = new ActivityManagerService(context);
}
@Override
public void onStart() {
mService.start();
}
@Override
public void onBootPhase(int phase) {
mService.mBootPhase = phase;
if (phase == PHASE_SYSTEM_SERVICES_READY) {
mService.mBatteryStatsService.systemServicesReady();
mService.mServices.systemServicesReady();
}
}
@Override
public void onCleanupUser(int userId) {
mService.mBatteryStatsService.onCleanupUser(userId);
}
public ActivityManagerService getService() {
return mService;
}
}
可以看到在它的构造方法中创建了一个ActivityManagerService对象,而它的onStart方法则是调用了AMS的start方法,至此AMS的启动流程就结束了。
