开发: C++知识库 Java知识库 JavaScript Python PHP知识库人工智能区块链大数据移动开发嵌入式开发工具数据结构与算法开发测试游戏开发网络协议系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑笔记本显卡显示器固态硬盘硬盘耳机手机 iphone vivo oppo 小米华为单反装机图拉丁

-> 移动开发 -> Android 12 init(6) Subcontext进程工作过程分析 -> 正文阅读

[移动开发]Android 12 init(6) Subcontext进程工作过程分析

文章托管在gitee上 Android Notes , 同步csdn
本文基于Android12 分析

概述

在init启动过程中，会启动一个subcontext进程，通常与init有着不一样的 secontext 以及 mount namespace。该进程用来接收来自init的命令，用来执行某些操作，这些操作是在 subcontext 的secontext 和 mount namespace 下进行。通过ps命令看看init及subcontext进程信息

# ps -AZ | grep init                                                                                                            
u:r:init:s0                    root             1     0 10904472  3956 do_epoll_wait       0 S init   # 这个是 init 进程
u:r:vendor_init:s0             root           166     1 10780496  1924 do_sys_poll         0 S init   # 这个是 subcontext 进程

Subcontext 进程启动与初始化

Subcontext 进程是在init启动第二阶段进行启动和初始化的，在SecondStageMain函数中调用InitializeSubcontext去完成相关操作。

SecondStageMain

int SecondStageMain(int argc, char** argv) {
  ...
  const BuiltinFunctionMap& function_map = GetBuiltinFunctionMap(); // 内置函数表
  Action::set_function_map(&function_map); // 设置 Action 需要的函数映射表
  ...
  if (!SetupMountNamespaces()) { // 初始化 Mount Namespaces
    PLOG(FATAL) << "SetupMountNamespaces failed";
  }

  InitializeSubcontext(); // 初始化Subcontext

  ActionManager& am = ActionManager::GetInstance(); // 创建action管理器
  ServiceList& sm = ServiceList::GetInstance(); // 创建服务管理列表

  LoadBootScripts(am, sm); // 加载并解析启动脚本
  ...
}

SetupMountNamespaces

如果apex可更新并且不是recovery模式，则会创建一个新的mount namespace，被记为default，而原始的则称为 bootstrap
否则，default 和 bootstrap 的mount namespace是同一个

bool SetupMountNamespaces() {
    // Set the propagation type of / as shared so that any mounting event (e.g.
    // /data) is by default visible to all processes. When private mounting is
    // needed for /foo/bar, then we will make /foo/bar as a mount point (by
    // bind-mounting by to itself) and set the propagation type of the mount
    // point to private.
    if (!ChangeMount("/", MS_SHARED | MS_REC)) return false; // 将根 / 挂载为共享

    // /apex is a private mountpoint to give different sets of APEXes for
    // the bootstrap and default mount namespaces. The processes running with
    // the bootstrap namespace get APEXes from the read-only partition.
    if (!(ChangeMount("/apex", MS_PRIVATE))) return false;  // 将/apex 挂载为私有

    // /linkerconfig is a private mountpoint to give a different linker configuration
    // based on the mount namespace. Subdirectory will be bind-mounted based on current mount
    // namespace
    if (!(ChangeMount("/linkerconfig", MS_PRIVATE))) return false; // 将/linkerconfig 挂载为私有
    ...
    // 保存当前的mount namespace 为 bootstrap
    bootstrap_ns_fd.reset(OpenMountNamespace());
    bootstrap_ns_id = GetMountNamespaceId();

    // When APEXes are updatable (e.g. not-flattened), we create separate mount
    // namespaces for processes that are started before and after the APEX is
    // activated by apexd. In the namespace for pre-apexd processes, small
    // number of essential APEXes (e.g. com.android.runtime) are activated.
    // In the namespace for post-apexd processes, all APEXes are activated.
    bool success = true;
    if (IsApexUpdatable() && !IsRecoveryMode()) { // 如果apex可更新并且不是recovery模式
        // Creating a new namespace by cloning, saving, and switching back to
        // the original namespace.
        if (unshare(CLONE_NEWNS) == -1) { // 创建新的mount namespace
            PLOG(ERROR) << "Cannot create mount namespace";
            return false;
        }
        // 将新的 mount namespace 保存为 default
        default_ns_fd.reset(OpenMountNamespace());
        default_ns_id = GetMountNamespaceId();

        if (setns(bootstrap_ns_fd.get(), CLONE_NEWNS) == -1) { // 将init重新设置回 bootstrap
            PLOG(ERROR) << "Cannot switch back to bootstrap mount namespace";
            return false;
        }
    } else { // 否则 default 和 bootstrap 同 mount namespace
        // Otherwise, default == bootstrap
        default_ns_fd.reset(OpenMountNamespace());
        default_ns_id = GetMountNamespaceId();
    }
#ifdef ACTIVATE_FLATTENED_APEX
    success &= ActivateFlattenedApexesIfPossible();
#endif
    LOG(INFO) << "SetupMountNamespaces done";
    return success;
}

关于 mount namespace 可参考文章浅谈Linux Namespace机制（一）

InitializeSubcontext

创建subcontext进程，用于执行init交给其的一些任务(比如后面执行的某些Command)，通过socket与init进行通信

在Android P 开始才创建 subcontext
使用的secontext是 kVendorContext，即 u:r:vendor_init:s0

/// @system/core/init/subcontext.cpp
void InitializeSubcontext() {
    if (SelinuxGetVendorAndroidVersion() >= __ANDROID_API_P__) { // android s api 31 > android p api 28
        subcontext.reset( // 创建Subcontext, path_prefixes为"/vendor", "/odm"。kVendorContext u:r:vendor_init:s0
                new Subcontext(std::vector<std::string>{"/vendor", "/odm"}, kVendorContext));
    }
}

/// @system/core/init/subcontext.h
Subcontext(std::vector<std::string> path_prefixes, std::string context, bool host = false)
    : path_prefixes_(std::move(path_prefixes)), context_(std::move(context)), pid_(0) {
    if (!host) { /// host默认为false
        Fork(); // 创建subcontext进程
    }
}

Subcontext::Fork

创建Socket pair，用于subcontext与init进行通信
fork() 创建子进程 subcontext
subcontext通过setexeccon设置安全上下文，通过setns 设置为默认mount space
通过execv执行/system/bin/init 进入subcontext业务逻辑

/// @system/core/init/subcontext.cpp
void Subcontext::Fork() {
    unique_fd subcontext_socket;
    // 创建 socket对，用于与init进行通信
    if (!Socketpair(AF_UNIX, SOCK_SEQPACKET | SOCK_CLOEXEC, 0, &socket_, &subcontext_socket)) {
        LOG(FATAL) << "Could not create socket pair to communicate to subcontext";
        return;
    }

    auto result = fork(); // 创建子进程 subcontext

    if (result == -1) {
        LOG(FATAL) << "Could not fork subcontext";
    } else if (result == 0) { // subcontext 进程
        socket_.reset(); // 关闭init的 fd

        // We explicitly do not use O_CLOEXEC here, such that we can reference this FD by number
        // in the subcontext process after we exec.
        int child_fd = dup(subcontext_socket);  // NOLINT(android-cloexec-dup)
        if (child_fd < 0) {
            PLOG(FATAL) << "Could not dup child_fd";
        }

        // We don't switch contexts if we're running the unit tests.  We don't use std::optional,
        // since we still need a real context string to pass to the builtin functions.
        if (context_ != kTestContext) {
            if (setexeccon(context_.c_str()) < 0) { // 设置安全上下文 Set exec security context for the next execve
                PLOG(FATAL) << "Could not set execcon for '" << context_ << "'";
            }
        }
#if defined(__ANDROID__)
        // subcontext init runs in "default" mount namespace
        // so that it can access /apex/*
        if (auto result = SwitchToMountNamespaceIfNeeded(NS_DEFAULT); !result.ok()) {// 切换到 default mount namespace
            LOG(FATAL) << "Could not switch to \"default\" mount namespace: " << result.error();
        }
#endif
        auto init_path = GetExecutablePath(); // /system/bin/init
        auto child_fd_string = std::to_string(child_fd);
        const char* args[] = {init_path.c_str(), "subcontext", context_.c_str(), // 注意此处传入的参数 subcontext
                              child_fd_string.c_str(), nullptr};
        execv(init_path.data(), const_cast<char**>(args)); // execv 执行init

        PLOG(FATAL) << "Could not execv subcontext init";
    } else { // init 进程
        subcontext_socket.reset();  // 关闭subcontext的 fd
        pid_ = result;
        LOG(INFO) << "Forked subcontext for '" << context_ << "' with pid " << pid_;
    }
}

SwitchToMountNamespaceIfNeeded

/// @system/core/init/mount_namespace.cpp
Result<void> SwitchToMountNamespaceIfNeeded(MountNamespace target_mount_namespace) {
    if (IsRecoveryMode() || !IsApexUpdatable()) {
        // we don't have multiple namespaces in recovery mode or if apex is not updatable
        return {};
    }
    const auto& ns_id = target_mount_namespace == NS_BOOTSTRAP ? bootstrap_ns_id : default_ns_id;
    const auto& ns_fd = target_mount_namespace == NS_BOOTSTRAP ? bootstrap_ns_fd : default_ns_fd;
    const auto& ns_name = target_mount_namespace == NS_BOOTSTRAP ? "bootstrap" : "default";
    // 读取link /proc/self/ns/mnt
    // lrwxrwxrwx 1 root root 0 2022-12-16 15:30 /proc/164/ns/mnt -> mnt:[4026532713]
    if (ns_id != GetMountNamespaceId() && ns_fd.get() != -1) {
        if (setns(ns_fd.get(), CLONE_NEWNS) == -1) { // 调用 setns 设置mount namespace
            return ErrnoError() << "Failed to switch to " << ns_name << " mount namespace.";
        }
    }
    return {};
}

subcontext入口在init main方法中，通过参数可以知道启动的是哪个，对于subcontext则会调用SubcontextMain函数

/// @system/core/init/main.cpp
int main(int argc, char** argv) {
    ...
    if (argc > 1) {
        if (!strcmp(argv[1], "subcontext")) { // 此处。 subcontext 子进程入口
            android::base::InitLogging(argv, &android::base::KernelLogger);
            const BuiltinFunctionMap& function_map = GetBuiltinFunctionMap();

            return SubcontextMain(argc, argv, &function_map);  // 调用 SubcontextMain
        }

        if (!strcmp(argv[1], "selinux_setup")) {// selinux初始化阶段
            return SetupSelinux(argv);
        }

        if (!strcmp(argv[1], "second_stage")) {// 启动第二阶段
            return SecondStageMain(argc, argv);
        }
    }

    return FirstStageMain(argc, argv); // 启动第一阶段
}

SubcontextMain

/// @system/core/init/subcontext.cpp
int SubcontextMain(int argc, char** argv, const BuiltinFunctionMap* function_map) {
    if (argc < 4) LOG(FATAL) << "Fewer than 4 args specified to subcontext (" << argc << ")";

    auto context = std::string(argv[2]); // 默认是 kVendorContext，u:r:vendor_init:s0
    auto init_fd = std::atoi(argv[3]); // socket fd

    SelabelInitialize(); // selable 初始化
    // 设置关机命令lambda
    trigger_shutdown = [](const std::string& command) { shutdown_command = command; };
    // 创建 SubcontextProcess 对象
    auto subcontext_process = SubcontextProcess(function_map, context, init_fd);
    // Restore prio before main loop
    setpriority(PRIO_PROCESS, 0, 0);
    subcontext_process.MainLoop(); // 调用其 MainLoop 函数
    return 0;
}

SubcontextProcess::MainLoop

进入主循环，等待init消息并处理相关请求。

poll等待读事件的发生，通常是init发送相关命令请求
ReadMessage(init_fd_) 读取来自 init 的消息
subcontext_command.ParseFromString 解析init消息
根据Command类别执行不同的操作
- kExecuteCommand 执行指定的命令
- kExpandArgsCommand 展开给定的参数。
SendMessage回复init执行结果

/// @system/core/init/subcontext.cpp
void SubcontextProcess::MainLoop() {
    pollfd ufd[1];
    ufd[0].events = POLLIN;
    ufd[0].fd = init_fd_; // init socket fd，监听相关事件

    while (true) {
        ufd[0].revents = 0;
        int nr = TEMP_FAILURE_RETRY(poll(ufd, arraysize(ufd), -1)); // poll等待事件发生
        if (nr == 0) continue;
        if (nr < 0) {
            PLOG(FATAL) << "poll() of subcontext socket failed, continuing";
        }

        auto init_message = ReadMessage(init_fd_); // 读取来自 init 的消息
        if (!init_message.ok()) {
            if (init_message.error().code() == 0) {
                // If the init file descriptor was closed, let's exit quietly. If
                // this was accidental, init will restart us. If init died, this
                // avoids calling abort(3) unnecessarily.
                return;
            }
            LOG(FATAL) << "Could not read message from init: " << init_message.error();
        }

        auto subcontext_command = SubcontextCommand();
        if (!subcontext_command.ParseFromString(*init_message)) { // 解析init消息
            LOG(FATAL) << "Unable to parse message from init";
        }

        auto reply = SubcontextReply();
        switch (subcontext_command.command_case()) {
            case SubcontextCommand::kExecuteCommand: { // 执行命令
                RunCommand(subcontext_command.execute_command(), &reply);
                break;
            }
            case SubcontextCommand::kExpandArgsCommand: { // 展开参数
                ExpandArgs(subcontext_command.expand_args_command(), &reply);
                break;
            }
            default:
                LOG(FATAL) << "Unknown message type from init: "
                           << subcontext_command.command_case();
        }

        if (!shutdown_command.empty()) { // shutdown命令不为空，回写shutdown消息
            reply.set_trigger_shutdown(shutdown_command);
            shutdown_command.clear();
        }
        // 发送回复消息到 init
        if (auto result = SendMessage(init_fd_, reply); !result.ok()) {
            LOG(FATAL) << "Failed to send message to init: " << result.error();
        }
    }
}

ReadMessage

从socket 中读取消息, 存储到 string

/// @system/core/init/proto_utils.h
inline Result<std::string> ReadMessage(int socket) {
    char buffer[kBufferSize] = {};
    auto result = TEMP_FAILURE_RETRY(recv(socket, buffer, sizeof(buffer), 0));
    if (result == 0) {
        return Error();
    } else if (result < 0) {
        return ErrnoError();
    }
    return std::string(buffer, result);
}

SendMessage

将消息序列化为string，然后通过socket发送

template <typename T>
Result<void> SendMessage(int socket, const T& message) {
    std::string message_string;
    if (!message.SerializeToString(&message_string)) {
        return Error() << "Unable to serialize message";
    }

    if (message_string.size() > kBufferSize) {
        return Error() << "Serialized message too long to send";
    }

    if (auto result =
                TEMP_FAILURE_RETRY(send(socket, message_string.c_str(), message_string.size(), 0));
        result != static_cast<long>(message_string.size())) {
        return ErrnoError() << "send() failed to send message contents";
    }
    return {};
}

SubcontextCommand、SubcontextReply

上面两个用来接收命令，发送反馈的类，在源码的实现是通过proto2。通过SubcontextCommand定义可知，它目前支持两种命令，execute_command和expand_args_command。

/// @system/core/init/subcontext.proto
syntax = "proto2";
option optimize_for = LITE_RUNTIME;

message SubcontextCommand {
    message ExecuteCommand { repeated string args = 1; }
    message ExpandArgsCommand { repeated string args = 1; }
    oneof command {
        ExecuteCommand execute_command = 1;
        ExpandArgsCommand expand_args_command = 2;
    }
}

message SubcontextReply {
    message Failure {
        optional string error_string = 1;
        optional int32 error_errno = 2;
    }
    message ExpandArgsReply { repeated string expanded_args = 1; }

    oneof reply {
        bool success = 1;
        Failure failure = 2;
        ExpandArgsReply expand_args_reply = 3;
    }

    optional string trigger_shutdown = 4;
}

关于proto2 请参考快来看看Google出品的Protocol Buffer

init发送命令

在 init(2) rc脚本解析和事件执行流程 中，分析过Command的解析与执行。通常，每一个Command都在内置函数Map有对应的一行，如下所示。第四列true/false表示是否在subcontext中执行。

/// @system/core/init/builtins.cpp
static const BuiltinFunctionMap builtin_functions =
// 函数名， MapValue{ min_args，max_args，BuiltinFunctionMapValue{ run_in_subcontext， BuiltinFunction } }
  {"copy",                    {2,     2,    {true,   do_copy}}},
  {"copy_per_line",           {2,     2,    {true,   do_copy_per_line}}},
  {"domainname",              {1,     1,    {true,   do_domainname}}},
  {"enable",                  {1,     1,    {false,  do_enable}}},
  {"exec",                    {1,     kMax, {false,  do_exec}}},
  {"exec_background",         {1,     kMax, {false,  do_exec_background}}},
  {"exec_start",              {1,     1,    {false,  do_exec_start}}},

以copy命令为例，看看它的实现。当执行该命令时，会调用Command::InvokeFunc

Command::InvokeFunc

当指定了不为空的subcontext
- 若execute_in_subcontext_为true，则会直接调用subcontext->Execute
- 否则会先subcontext->ExpandArgs通过subcontext进程对args进行膨胀处理(主要是将 ${prop_name} 解析成对应的属性值)，然后在调用RunBuiltinFunction
未指定subcontext则直接调用RunBuiltinFunction

/// @system/core/init/action.cpp
Result<void> Command::InvokeFunc(Subcontext* subcontext) const {
    if (subcontext) { // 指定了subcontext
        if (execute_in_subcontext_) { // 如果指定在 subcontext 下执行
            return subcontext->Execute(args_);
        }

        auto expanded_args = subcontext->ExpandArgs(args_);
        if (!expanded_args.ok()) { // 膨胀处理失败，则结束处理
            return expanded_args.error();
        }
        return RunBuiltinFunction(func_, *expanded_args, subcontext->context());
    }

    return RunBuiltinFunction(func_, args_, kInitContext);
}

copy指定了在subcontext执行，因此会调用subcontext->Execute

Subcontext::Execute

Result<void> Subcontext::Execute(const std::vector<std::string>& args) {
    auto subcontext_command = SubcontextCommand();
    std::copy( // 填充参数到命令。 注意此处的mutable_execute_command，表示使用的消息是 execute_command
        args.begin(), args.end(),
        RepeatedPtrFieldBackInserter(subcontext_command.mutable_execute_command()->mutable_args()));

    auto subcontext_reply = TransmitMessage(subcontext_command);// 传递消息并接收回复
    if (!subcontext_reply.ok()) {
        return subcontext_reply.error();
    }

    if (subcontext_reply->reply_case() == SubcontextReply::kFailure) { // 处理失败
        auto& failure = subcontext_reply->failure();
        return ResultError(failure.error_string(), failure.error_errno());
    }

    if (subcontext_reply->reply_case() != SubcontextReply::kSuccess) {
        return Error() << "Unexpected message type from subcontext: "
                       << subcontext_reply->reply_case();
    }

    return {};
}

Subcontext::TransmitMessage

Result<SubcontextReply> Subcontext::TransmitMessage(const SubcontextCommand& subcontext_command) {
    if (auto result = SendMessage(socket_, subcontext_command); !result.ok()) { // 发送消息，和上面一样 通过socket发消息
        Restart(); // 发送失败则重启 subcontext 进程
        return ErrnoError() << "Failed to send message to subcontext";
    }

    auto subcontext_message = ReadMessage(socket_); // 接收处理结果
    if (!subcontext_message.ok()) {
        Restart();
        return Error() << "Failed to receive result from subcontext: " << subcontext_message.error();
    }

    auto subcontext_reply = SubcontextReply{};
    if (!subcontext_reply.ParseFromString(*subcontext_message)) { // 解析结果
        Restart();
        return Error() << "Unable to parse message from subcontext";
    }

    if (subcontext_reply.has_trigger_shutdown()) { // 若包含关机信息则触发执行
        trigger_shutdown(subcontext_reply.trigger_shutdown());
    }

    return subcontext_reply;
}

从上面分析可知，init发送了一个类型为execute_command的消息到 subcontext，在SubcontextProcess::MainLoop中收到请求后，根据类型执行相关动作，即调用RunCommand

// MainLoop ...
switch (subcontext_command.command_case()) {
    case SubcontextCommand::kExecuteCommand: { // 执行命令
        RunCommand(subcontext_command.execute_command(), &reply);
        break;
    }
    ...
}
...
// 发送回复消息到 init
if (auto result = SendMessage(init_fd_, reply); !result.ok()) {
    LOG(FATAL) << "Failed to send message to init: " << result.error();
}

SubcontextProcess::RunCommand

void SubcontextProcess::RunCommand(const SubcontextCommand::ExecuteCommand& execute_command,
                                   SubcontextReply* reply) const {
    // Need to use ArraySplice instead of this code.
    auto args = std::vector<std::string>();
    for (const auto& string : execute_command.args()) {
        args.emplace_back(string);
    }

    auto map_result = function_map_->Find(args); // 从函数Map寻找对应的函数
    Result<void> result;
    if (!map_result.ok()) {
        result = Error() << "Cannot find command: " << map_result.error();
    } else {
        result = RunBuiltinFunction(map_result->function, args, context_); // 执行内置函数
    }

    if (result.ok()) {
        reply->set_success(true);
    } else {
        auto* failure = reply->mutable_failure();
        failure->set_error_string(result.error().message());
        failure->set_error_errno(result.error().code());
    }
}

RunBuiltinFunction

/// @system/core/init/action.cpp
Result<void> RunBuiltinFunction(const BuiltinFunction& function,
                                const std::vector<std::string>& args, const std::string& context) {
    auto builtin_arguments = BuiltinArguments(context); // 函数参数

    builtin_arguments.args.resize(args.size());
    builtin_arguments.args[0] = args[0];
    for (std::size_t i = 1; i < args.size(); ++i) {
        auto expanded_arg = ExpandProps(args[i]); // 展开属性参数
        if (!expanded_arg.ok()) {
            return expanded_arg.error();
        }
        builtin_arguments.args[i] = std::move(*expanded_arg);
    }
    // 调用函数，copy 对应的函数是 do_copy
    return function(builtin_arguments);
}

ExpandProps

将属性参数展开为对应的值

属性的形式可以是 $x.y 或者 ${x.y}。但 $x.y 这种形式从R开始不再支持
连续两个$被解析为$。{}内部的内嵌属性不再解析，如 ${foo.${bar}}
可以指定默认值，当属性值为空时返回。如 ${x.y:-default} ， default即默认值

/// @system/core/init/util.cpp
Result<std::string> ExpandProps(const std::string& src) {
    const char* src_ptr = src.c_str();

    std::string dst;

    /* - variables can either be $x.y or ${x.y}, in case they are only part
     *   of the string.
     * - will accept $$ as a literal $.
     * - no nested property expansion, i.e. ${foo.${bar}} is not supported,
     *   bad things will happen
     * - ${x.y:-default} will return default value if property empty.
     */
    while (*src_ptr) {
        const char* c;

        c = strchr(src_ptr, '$'); // 寻找字符串中的 $
        if (!c) { // 不包含$则不需要解析
            dst.append(src_ptr);
            return dst;
        }

        dst.append(src_ptr, c);
        c++;

        if (*c == '$') { // 检测到连续两个$$，则识别为$
            dst.push_back(*(c++));
            src_ptr = c;
            continue;
        } else if (*c == '\0') { // 后面紧跟结束符则返回
            return dst;
        }

        std::string prop_name;
        std::string def_val;
        if (*c == '{') { // 如果后面有{ ，则需要识别为 ${x.y} 这种
            c++;
            const char* end = strchr(c, '}');
            if (!end) { // { } 要成对匹配
                // failed to find closing brace, abort.
                return Error() << "unexpected end of string in '" << src << "', looking for }";
            }
            prop_name = std::string(c, end);
            c = end + 1;
            size_t def = prop_name.find(":-"); // 解析默认值。:-后面是默认值，前面是key
            if (def < prop_name.size()) {
                def_val = prop_name.substr(def + 2);
                prop_name = prop_name.substr(0, def);
            }
        } else { // 否则$后面都是key。
            prop_name = c;
            if (SelinuxGetVendorAndroidVersion() >= __ANDROID_API_R__) { // 大于 R 版本不再支持这种语法
                return Error() << "using deprecated syntax for specifying property '" << c
                               << "', use ${name} instead";
            } else {
                LOG(ERROR) << "using deprecated syntax for specifying property '" << c
                           << "', use ${name} instead";
            }
            c += prop_name.size();
        }

        if (prop_name.empty()) {
            return Error() << "invalid zero-length property name in '" << src << "'";
        }
        // 获取属性值
        std::string prop_val = android::base::GetProperty(prop_name, "");
        if (prop_val.empty()) { // 没有获取属性值
            if (def_val.empty()) { // 没有指定默认值
                return Error() << "property '" << prop_name << "' doesn't exist while expanding '"
                               << src << "'";
            }
            prop_val = def_val; // 使用默认值
        }

        dst.append(prop_val);
        src_ptr = c;
    }

    return dst;
}

Command是copy情景下，function(builtin_arguments) 调用的函数是 do_copy

do_copy

/// @system/core/init/builtins.cpp
static Result<void> do_copy(const BuiltinArguments& args) {
    auto file_contents = ReadFile(args[1]);
    if (!file_contents.ok()) {
        return Error() << "Could not read input file '" << args[1] << "': " << file_contents.error();
    }
    if (auto result = WriteFile(args[2], *file_contents); !result.ok()) {
        return Error() << "Could not write to output file '" << args[2] << "': " << result.error();
    }

    return {};
}