?
1.zygote启动
zygote是由init进程通过解析 init.zygote.rc 文件而创建的,zygote所对应的可执行程序
app_process,所对应的源文件是 app_main.cpp ,进程名为zygote
// system/core/rootdir/init.zygote32.rc
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --startsystem-server
class main
socket zygote stream 660 root system
onrestart write /sys/android_power/request_state wake
onrestart write /sys/power/state on
onrestart restart media
onrestart restart netd
writepid /dev/cpuset/foreground/tasks1-2.执行app_main.cpp 中的main方法
int main(int argc, char* const argv[])
{
...
runtime.start("com.android.internal.os.ZygoteInit", args, zygote);
...
}1-3.AndroidRuntime::start
runtime继承自AndroidRuntime
void AndroidRuntime::start(const char* className, const Vector<String8>& options, bool zygote)
{
//启动虚拟机
if (startVm(&mJavaVM, &env, zygote) != 0) {
return;
}
onVmCreated(env);
/*
* Register android functions.注册jni
*/
if (startReg(env) < 0) {
ALOGE("Unable to register all android natives\n");
return;
}
//反射调用ZygoteInit main()方法
jmethodID startMeth = env->GetStaticMethodID(startClass, "main","([Ljava/lang/String;)V");
env->CallStaticVoidMethod(startClass, startMeth, strArray);
...
}package com.android.internal.os;
//ZygoteInit
public static void main(String argv[]) {
...
// 标记Zygote开始初始化,并Hook确保不创建其他线程
ZygoteHooks.startZygoteNoThreadCreation();
// In such cases, we will preload things prior to our first fork.
if (!enableLazyPreload) {
//预加载资源
preload(bootTimingsTraceLog);
} else {
Zygote.resetNicePriority();
}
...
ZygoteHooks.stopZygoteNoThreadCreation();
if (startSystemServer) {
//forkSystemServer
Runnable r = forkSystemServer(abiList, socketName, zygoteServer);
if (r != null) {
r.run();
return;
}
}
...
zygoteServer.closeServerSocket();
}
frameworks/base/services/java/com/android/server/SystemServer.java
public static void main(String[] args) {
new SystemServer().run();
}1-1.run
private void run() {
try {
Looper.prepareMainLooper();
// Initialize native services.
System.loadLibrary("android_servers");
// Initialize the system context.
createSystemContext();
// Create the system service manager.
mSystemServiceManager = new SystemServiceManager(mSystemContext);
mSystemServiceManager.setStartInfo(mRuntimeRestart,
mRuntimeStartElapsedTime, mRuntimeStartUptime);
LocalServices.addService(SystemServiceManager.class, mSystemServiceManager);
// Prepare the thread pool for init tasks that can be parallelized
SystemServerInitThreadPool.get();
} finally {
traceEnd(); // InitBeforeStartServices
}
// Start services.
try {
traceBeginAndSlog("StartServices");
startBootstrapServices();
startCoreServices();
startOtherServices();
SystemServerInitThreadPool.shutdown();
}
// Loop forever.
Looper.loop();
}
private void startBootstrapServices() {
// Activity manager runs the show.
mActivityManagerService = mSystemServiceManager.startService(
ActivityManagerService.Lifecycle.class).getService();
...
mPowerManagerService = mSystemServiceManager.startService(PowerManagerService.class);
...
mSystemServiceManager.startService(RecoverySystemService.class);
...
mSystemServiceManager.startService(LightsService.class);
...
mSystemServiceManager.startService(WEAR_SIDEKICK_SERVICE_CLASS);
...
mDisplayManagerService = mSystemServiceManager.startService(DisplayManagerService.class);
mActivityManagerService.setSystemProcess();
...
}
1-3.setSystemProcess
frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.
java
// 2172
public void setSystemProcess() {
// 2174 添加 AMS("activity")到 service_manager中
ServiceManager.addService(Context.ACTIVITY_SERVICE, this, true);1-4.ServiceManager.addService
frameworks/base/core/java/android/os/ServiceManager.java
public static void addService(String name, IBinder service, boolean
allowIsolated) {
//(分别分析 getIServiceManager和 addService)
getIServiceManager().addService(name, service, allowIsolated);2.getIServiceManager
frameworks/base/core/java/android/os/ServiceManager.java
private static IServiceManager getIServiceManager() {
/* 采用单例形式返回 ServiceManagerProxy对象 */
if (sServiceManager != null) {
return sServiceManager;
}
//相当于 new ServiceManagerProxy(new BinderProxy);
sServiceManager =
ServiceManagerNative.asInterface(BinderInternal.getContextObject());
return sServiceManager;
}2-1.BinderInternal.getContextObject
frameworks/base/core/java/com/android/internal/os/BinderInternal.java
public static final native IBinder getContextObject();2-1-1.android_os_BinderInternal_getContextObject
frameworks/base/core/jni/android_util_Binder.cpp
static jobject android_os_BinderInternal_getContextObject(JNIEnv* env, jobject
clazz)
{
/* 打开 binder驱动(ProcessState是单例的),创建 BpBinder(handle) 对象,并返回 */
sp<IBinder> b = ProcessState::self()->getContextObject(NULL);
return javaObjectForIBinder(env, b);
}2-1-2.javaObjectForIBinder BpBinder与BinderProxy互相绑定
frameworks/base/core/jni/android_util_Binder.cpp
jobject javaObjectForIBinder(JNIEnv* env, const sp<IBinder>& val)
//从 BpBinder中查找 BinderProxy对象,第一次为 null
jobject object = (jobject)val->findObject(&gBinderProxyOffsets);
//创建 BinderProxy对象
object = env->NewObject(gBinderProxyOffsets.mClass,gBinderProxyOffsets.mConstructor);
//BinderProxy.mObject成员变量记录 BpBinder对象
env->SetLongField(object, gBinderProxyOffsets.mObject, (jlong)val.get());
//将 BinderProxy对象信息添加到 BpBinder的成员变量 mObjects中
val->attachObject(&gBinderProxyOffsets, refObject,
jnienv_to_javavm(env), proxy_cleanup);
//inderProxy.mOrgue成员变量记录死亡通知对象
env->SetLongField(object, gBinderProxyOffsets.mOrgue, reinterpret_cast<jlong>
(drl.get()));2-2.ServiceManagerNative.asInterface
frameworks/base/core/java/android/os/ServiceManagerNative.java
static public IServiceManager asInterface(IBinder obj)
{
if (obj == null) {
return null;
}
//obj为 BinderProxy,默认返回 null
IServiceManager in =(IServiceManager)obj.queryLocalInterface(descriptor);
if (in != null) {
return in;
}
return new ServiceManagerProxy(obj);
}2-3.ServiceManagerProxy
frameworks/base/core/java/android/os/ServiceManagerNative.java$ServiceManagerPro
xy.java
class ServiceManagerProxy implements IServiceManager {
public ServiceManagerProxy(IBinder remote) {
mRemote = remote;
}
public IBinder asBinder() {
return mRemote;
}
public IBinder getService(String name) throws RemoteException {
Parcel data = Parcel.obtain();
Parcel reply = Parcel.obtain();
data.writeInterfaceToken(IServiceManager.descriptor);
data.writeString(name);
mRemote.transact(GET_SERVICE_TRANSACTION, data, reply, 0);
IBinder binder = reply.readStrongBinder();
reply.recycle();
data.recycle();
return binder;
}
...
public void addService(String name, IBinder service, boolean allowIsolated)
throws RemoteException {
Parcel data = Parcel.obtain();
Parcel reply = Parcel.obtain();
data.writeInterfaceToken(IServiceManager.descriptor);
data.writeString(name);
data.writeStrongBinder(service);
data.writeInt(allowIsolated ? 1 : 0);
mRemote.transact(ADD_SERVICE_TRANSACTION, data, reply, 0);
reply.recycle();
data.recycle();
}
...
}3.SMP.addService--1
3.1?data.writeStrongBinder(service)
nativeWriteStrongBinder(mNativePtr, val);
android_os_Parcel_writeStrongBinder(JNIEnv* env, jclass clazz, jlong?nativePtr, jobject object)
static void android_os_Parcel_writeStrongBinder(JNIEnv* env, jclass clazz, jlong nativePtr, jobject object)
{
//将java层 Parcel转换为 native层 Parcel
Parcel* parcel = reinterpret_cast<Parcel*>(nativePtr);
if (parcel != NULL) {
const status_t err = parcel->writeStrongBinder(ibinderForJavaObject(env, object));
if (err != NO_ERROR) {
signalExceptionForError(env, clazz, err);
}
}
}3-2-1.ibinderForJavaObject
sp<IBinder> ibinderForJavaObject(JNIEnv* env, jobject obj)
{
if (obj == NULL) return NULL;
// 是否是 Java层的 Binder对象,此处是 AMS,if命中
if (env->IsInstanceOf(obj, gBinderOffsets.mClass)) {
JavaBBinderHolder* jbh = (JavaBBinderHolder*)
env->GetLongField(obj, gBinderOffsets.mObject);
//返回 JavaBBinder对象
return jbh != NULL ? jbh->get(env, obj) : NULL;
}
if (env->IsInstanceOf(obj, gBinderProxyOffsets.mClass)) {
return (IBinder*)
env->GetLongField(obj, gBinderProxyOffsets.mObject);
}
ALOGW("ibinderForJavaObject: %p is not a Binder object", obj);
return NULL;
}3-2-2.(Parcel.cpp)parcel->writeStrongBinder
flatten_binder(ProcessState::self(), val, this);
3.3?mRemote.transact(ADD_SERVICE_TRANSACTION, data, reply, 0)
BinderProxy.transact -->?transactNative(code, data, reply, flags);
jni调用android_os_BinderProxy_transac
//获取 BpBinder 对象
IBinder* target = (IBinder*)env->GetLongField(obj, gBinderProxyOffsets.mObject);
status_t err = target->transact(code, *data, reply, flags);
3-3.1BpBinder::transact
status_t BpBinder::transact(
uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
// Once a binder has died, it will never come back to life.
if (mAlive) {
status_t status = IPCThreadState::self()->transact(
mHandle, code, data, reply, flags);
if (status == DEAD_OBJECT) mAlive = 0;
return status;
}
return DEAD_OBJECT;
}3-4.IPCThreadState::transact
status_t IPCThreadState::transact(int32_t handle,
uint32_t code, const Parcel& data,
Parcel* reply, uint32_t flags)
{
status_t err = data.errorCheck();
flags |= TF_ACCEPT_FDS;
if (err == NO_ERROR) {
//整理数据,并把结果存入 mOut 中。(在 talkWithDriver方法中才会将命令真正发送给
Binder驱动)
err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL);
}
...
if ((flags & TF_ONE_WAY) == 0) {
if (reply) {
err = waitForResponse(reply);
} else {
Parcel fakeReply;
err = waitForResponse(&fakeReply);
}
} else {
err = waitForResponse(NULL, NULL);
}
return err;
}3-4-1.writeTransactionData
status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags,
int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer)
{
...
// mOut写入命令为 BC_TRANSACTION
mOut.writeInt32(cmd);
// 写入 binder_transaction_data数据
mOut.write(&tr, sizeof(tr));
return NO_ERROR;
}3-5.IPCThreadState::waitForResponse--1
status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult)
{
uint32_t cmd;
int32_t err;
while (1) {
if ((err=talkWithDriver()) < NO_ERROR) break;
...
}
return err;
}3-5-1.talkWithDriver
status_t IPCThreadState::talkWithDriver(bool doReceive)
{
...
//写入命令 BC_TRANSACTION
if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0)
...
return err;
}3-5-2.binder_ioctl_write_read--1
binder_transaction(proc, thread, &tr,cmd == BC_TRANSACTION, 0);?
/* 获取目标对象的 target_node,目标是 service_manager,所以可以直接使用全局变量
binder_context_mgr_node */
target_node = context->binder_context_mgr_node;
/* 1919 target_proc为 service_manager进程 */
target_proc = target_node->proc;
// 1954 找到 service_manager进程的 todo队列
target_list = &target_proc->todo;
target_wait = &target_proc->wait;
// 生成一个 binder_transaction 变量(即变量 t),用于描述本次要进行的
transaction(最后将其加入 target_thread->todo)。
// 这样当目标对象被唤醒时,它就可以从这个队列中取出需要做的工作。
t = kzalloc(sizeof(*t), GFP_KERNEL);
//生成一个binder_work变量(即变量 tcomplete),用于说明当前调用者线程有一宗未完成的
transaction(它最后会被添加到本线程的 todo队列中)
tcomplete = kzalloc(sizeof(*tcomplete), GFP_KERNEL);
- addService
? - data.writeStrongBinder(service); -- service == AMS --- 将AMS 放入 data中
? - mRemote.transact --- mRemote == BinderProxy
? ? - 获取BpBinder? --- IPCThreadState::transact
? ? ? - 1.writeTransactionData --- out 写入命令 --write? --- cmd == BC_TRANSACTION
? ? ? - 2.waitForResponse
? ? ? ? - talkWithDriver -- 非常重要 --- 代码非常长
? ? ? ? ? - binder_transaction
? ? ? ? ? ? - handle == 0 --》 sm
? ? ? ? ? ? - 1. target_node
? ? ? ? ? ? ? 2. proc
? ? ? ? ? ? ? 3. todo,wait
? ? ? ? ? ? ? 4. 创建t,tcomplete,
? ? ? ? ? ? ? 5. 数据拷贝
? ? ? ? ? ? ? 6. binder_transaction_binder --> handle
? ? ? ? ? ? ? 7. thread->transaction_stack = t; ---> 方便sm找到client
? ? ? ? ? ? ? 8. t->work.type = BINDER_WORK_TRANSACTION; -- 给sm -- 做事
? ? ? ? ? ? ? 9. tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; -- 给client--挂起
? ? ? ? ? ? ? 10. wake_up_interruptible 唤醒sm
? ? ? - client挂起
? ? ? ? - BR_NOOP ,BR_TRANSACTION_COMPLETE
? ? ? ? - wait_event_freezable --- 挂起
? ? ? - sm处理添加服务
? ? ? ? - BINDER_WORK_TRANSACTION --- 要处理 cmd == BR_TRANSACTION
? ? ? ? - 1. reply初始化
? ? ? ? ? 2. res = func(bs, txn, &msg, &reply); --- 函数指针 --- svcmgr_handler作用:获取或者添加 service
?? ? ? ? ? ? 1. sm是用 svclist? 保存所有服务的
? ? ? ? ? 3. binder_send_reply --- bc_reply
? ? ? ? ? 4. t->work.type = BINDER_WORK_TRANSACTION; --- 给Client
?? ? ? ? ? ? list_add_tail(&t->work.entry, target_list);
?? ? ? ? ? ? tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; -- 给SM --- 被挂起
?? ? ? ? ? ? list_add_tail(&tcomplete->entry, &thread->todo);
? ? ? ? ? 5. wake_up_interruptible(target_wait); -- 唤醒 Client
? ? ? - client 被唤醒
? ? ? ? - BINDER_WORK_TRANSACTION --- cmd = BR_REPLY;
SM 处理 onTransact
- IPCThreadState::executeCommand
? -? error = reinterpret_cast<BBinder*>(tr.cookie)->transact(tr.code, buffer,?&reply, tr.flags);
? - JavaBBinder.onTransact --- C++
? - jboolean res = env->CallBooleanMethod(mObject, gBinderOffsets.mExecTransact,
? ? ? ? ? ? ? ? code, reinterpret_cast<jlong>(&data), reinterpret_cast<jlong>(reply), flags); -- Binder.java.execTransact 方法
?
?