此前,分析过,SystemServer的启动,那么接着上篇,继续分析PhoneApp的启动
首先,SystemServer启动时,进入其的main函数
SystemServer.java文件
public static void main(String[] args) { new SystemServer().run(); }
private void run() { ...... // Start services. try { Trace.traceBegin(Trace.TRACE_TAG_SYSTEM_SERVER, "StartServices"); startBootstrapServices(); startCoreServices(); startOtherServices(); } catch (Throwable ex) { ...... } ...... }
private void startBootstrapServices() { ...... // Activity manager runs the show. mActivityManagerService = mSystemServiceManager.startService( ActivityManagerService.Lifecycle.class).getService(); mActivityManagerService.setSystemServiceManager(mSystemServiceManager); mActivityManagerService.setInstaller(installer); ......
// Set up the Application instance for the system process and get started. // Leo,调用ActivityManagerService对象爱那个的setSystemProcess方法 mActivityManagerService.setSystemProcess();
...... }从这个地方来看,好像是创建了一个ActivityManagerService对象,OK,我们先来看下SystemServiceManager对象的startService方法
public <T extends SystemService> T startService(Class<T> serviceClass) { try { final String name = serviceClass.getName(); Slog.i(TAG, "Starting " + name); Trace.traceBegin(Trace.TRACE_TAG_SYSTEM_SERVER, "StartService " + name); // Create the service. if (!SystemService.class.isAssignableFrom(serviceClass)) { throw new RuntimeException("Failed to create " + name + ": service must extend " + SystemService.class.getName()); } final T service; try {
// Leo, 原来是之调用了serviceClass的构造函数 Constructor<T> constructor = serviceClass.getConstructor(Context.class);
// Leo,得到serviceClass的对象 service = constructor.newInstance(mContext); } catch (InstantiationException ex) { throw new RuntimeException("Failed to create service " + name + ": service could not be instantiated", ex); } catch (IllegalAccessException ex) { throw new RuntimeException("Failed to create service " + name + ": service must have a public constructor with a Context argument", ex); } catch (NoSuchMethodException ex) { throw new RuntimeException("Failed to create service " + name + ": service must have a public constructor with a Context argument", ex); } catch (InvocationTargetException ex) { throw new RuntimeException("Failed to create service " + name + ": service constructor threw an exception", ex); } // Register it. mServices.add(service); // Start it. try {
// Leo, 调用其onStart方法 service.onStart(); } catch (RuntimeException ex) { throw new RuntimeException("Failed to start service " + name + ": onStart threw an exception", ex); } return service; } finally { Trace.traceEnd(Trace.TRACE_TAG_SYSTEM_SERVER); } }原来是调用了serviceClass类的构造函数,然后再调用其onStart方法,传入的参数为ActivityManagerService.Lifecycle.class,因此,我们查看Lifecycle内部类的实现
public static final class Lifecycle extends SystemService { private final ActivityManagerService mService; // Leo, 构造函数中,新建了一个ActivityManagerService的对象 public Lifecycle(Context context) { super(context); mService = new ActivityManagerService(context); } @Override // Leo,onStart方法中,其实就是调用了ActivityManagerService对象的start方法 public void onStart() { mService.start(); } // Leo,返回ActivityManagerService对象 public ActivityManagerService getService() { return mService; } }从这个内部类,我们可以看出,实际上,在调用SystemServiceManager的startService方法,是新建了一个ActivityManagerService的对象,然后调用其start方法,最后使用getService方法,返回该对象,由此,我们启动ActivityManagerService,这个是Android的核心进程,掌控了四大组件的启动,转换,调度等工作
接下来调用了ActivityManagerService对象的setSystemProcess方法
public void setSystemProcess() { try { // Leo, 将Service加入到ServiceManager中进行管理 ServiceManager.addService(Context.ACTIVITY_SERVICE, this, true); ServiceManager.addService(ProcessStats.SERVICE_NAME, mProcessStats); ServiceManager.addService("meminfo", new MemBinder(this)); ServiceManager.addService("gfxinfo", new GraphicsBinder(this)); ServiceManager.addService("dbinfo", new DbBinder(this)); if (MONITOR_CPU_USAGE) { ServiceManager.addService("cpuinfo", new CpuBinder(this)); } ServiceManager.addService("permission", new PermissionController(this)); ServiceManager.addService("processinfo", new ProcessInfoService(this)); ApplicationInfo info = mContext.getPackageManager().getApplicationInfo( "android", STOCK_PM_FLAGS | MATCH_SYSTEM_ONLY); mSystemThread.installSystemApplicationInfo(info, getClass().getClassLoader()); synchronized (this) { ProcessRecord app = newProcessRecordLocked(info, info.processName, false, 0); app.persistent = true; app.pid = MY_PID; app.maxAdj = ProcessList.SYSTEM_ADJ; app.makeActive(mSystemThread.getApplicationThread(), mProcessStats); synchronized (mPidsSelfLocked) { mPidsSelfLocked.put(app.pid, app); } updateLruProcessLocked(app, false, null); updateOomAdjLocked(); } } catch (PackageManager.NameNotFoundException e) { throw new RuntimeException( "Unable to find android system package", e); } }其将service加入到ServiceManager中进行管理,后续我们再研究分析ServiceManager的addService和getService方法,暂时不提
接下来,查看ServiceServer的run方法中的其他方法,startOtherService
private void startOtherServices() { ...... // Leo, 调用ActivityManagerService的systemReady方法 mActivityManagerService.systemReady(......); }调用ActivityManagerService的systemReady方法
public void systemReady(final Runnable goingCallback) { ...... startPersistentApps(PackageManager.MATCH_DIRECT_BOOT_AWARE); ..... }
private void startPersistentApps(int matchFlags) { if (mFactoryTest == FactoryTest.FACTORY_TEST_LOW_LEVEL) return; synchronized (this) { try { final List<ApplicationInfo> apps = AppGlobals.getPackageManager() .getPersistentApplications(STOCK_PM_FLAGS | matchFlags).getList(); for (ApplicationInfo app : apps) { if (!"android".equals(app.packageName)) { addAppLocked(app, false, null /* ABI override */); } } } catch (RemoteException ex) { } } }从这边可以看到,ActivityManagerService将persistent和directbootaware属性的应用通过addAppLocked方法,做了一些操作,那么先来看看PhoneApp的AndroidManifest.xml文件中是否具有该两个属性
<manifest xmlns:android="http://schemas.android.com/apk/res/android" xmlns:androidprv="http://schemas.android.com/apk/prv/res/android" package="com.android.phone" coreApp="true" android:sharedUserId="android.uid.phone" android:sharedUserLabel="@string/phoneAppLabel" > ...... <application android:name="PhoneApp" android:persistent="true" android:label="@string/phoneAppLabel" android:icon="@mipmap/ic_launcher_phone" android:allowBackup="false" android:supportsRtl="true" android:usesCleartextTraffic="true" android:defaultToDeviceProtectedStorage="true" android:directBootAware="true"> ...... </application> </manifest>可以看到,PhoneApp具有这两个属性,那么PhoneApp应用,会被addAppLocked处理,而针对于PhoneApp应用来说,ApplicationInfo指的是其应用信息,第二个参数为false,第三个参数为null
// Leo, info is app, isolated is false, abiOverride is null final ProcessRecord addAppLocked(ApplicationInfo info, boolean isolated, String abiOverride) { ProcessRecord app; if (!isolated) { app = getProcessRecordLocked(info.processName, info.uid, true); } else { app = null; } if (app == null) { // Leo, 通过ApplicationInfo获取ProcessRecord app = newProcessRecordLocked(info, null, isolated, 0); updateLruProcessLocked(app, false, null); updateOomAdjLocked(); } // This package really, really can not be stopped. try { AppGlobals.getPackageManager().setPackageStoppedState( info.packageName, false, UserHandle.getUserId(app.uid)); } catch (RemoteException e) { } catch (IllegalArgumentException e) { Slog.w(TAG, "Failed trying to unstop package " + info.packageName + ": " + e); } if ((info.flags & PERSISTENT_MASK) == PERSISTENT_MASK) { app.persistent = true; app.maxAdj = ProcessList.PERSISTENT_PROC_ADJ; } if (app.thread == null && mPersistentStartingProcesses.indexOf(app) < 0) { mPersistentStartingProcesses.add(app); // Leo,调用startProcessLocked,看这个方法的名称,应该是启动该应用 startProcessLocked(app, "added application", app.processName, abiOverride, null /* entryPoint */, null /* entryPointArgs */); } return app; }调用startProcessLocked方法,启动该应用
// Leo, hosting Type is "added application", addAppLocked is null, entryPoint is null, entryPointArgs is null private final void startProcessLocked(ProcessRecord app, String hostingType, String hostingNameStr, String abiOverride, String entryPoint, String[] entryPointArgs) { // Leo, 配置启动进程的一些必要参数 ......
if (entryPoint == null) entryPoint = "android.app.ActivityThread";
// Leo, 调用Process的start方法,看样子,是在这边启动进程,注意这边的entryPoint参数是"android.app.ActivityThread" Process.ProcessStartResult startResult = Process.start(entryPoint, app.processName, uid, uid, gids, debugFlags, mountExternal, app.info.targetSdkVersion, app.info.seinfo, requiredAbi, instructionSet, app.info.dataDir, entryPointArgs); ...... }
public static final ProcessStartResult start(final String processClass, final String niceName, int uid, int gid, int[] gids, int debugFlags, int mountExternal, int targetSdkVersion, String seInfo, String abi, String instructionSet, String appDataDir, String[] zygoteArgs) { ......
// Leo, 注意,此处的processClass为"android.app.ActivityThread"
return startViaZygote(processClass, niceName, uid, gid, gids,
debugFlags, mountExternal, targetSdkVersion, seInfo,
abi, instructionSet, appDataDir, zygoteArgs);
......
}
继续,注意此处的processClass为"android.app.ActivityThread",而其他的参数均是和PhoneApp相关,之后,通过和zygote的通信,fork一个进程,调用ActivityThread的main函数,过程以后再分析研究
public static void main(String[] args) { ...... ActivityThread thread = new ActivityThread(); thread.attach(false); ...... }
private void attach(boolean system) { // Leo, 调用IActivityManager的attachApplication final IActivityManager mgr = ActivityManagerNative.getDefault(); try { mgr.attachApplication(mAppThread); } catch (RemoteException ex) { throw ex.rethrowFromSystemServer(); } }调用ActivityManagerNative的getDefault方法后,返回IActivityManager,并调用其attachApplication方法
static public IActivityManager getDefault() { return gDefault.get(); }
private static final Singleton<IActivityManager> gDefault = new Singleton<IActivityManager>() { protected IActivityManager create() { IBinder b = ServiceManager.getService("activity"); if (false) { Log.v("ActivityManager", "default service binder = " + b); } IActivityManager am = asInterface(b); if (false) { Log.v("ActivityManager", "default service = " + am); } return am; } };在此前ActivityManagerService的setSystemProcess方法中,有ServiceManager.addService(Context.ACTIVITY_SERVICE, this, true);,因此,此时使用ServiceManager.getService("activity");取出的就是ActivityManagerService对象,然后通过asInterface方法,将ActivityManagerService和ActivityManagerProxy建立连接关系
我们继续查看ActivityManagerProxy的attachApplication,此后通过一系列的Binder通信,调用的是ActivityManagerService的attachApplication方法,因此
public final void attachApplication(IApplicationThread thread) { synchronized (this) { int callingPid = Binder.getCallingPid(); final long origId = Binder.clearCallingIdentity(); // Leo,调用attachApplicationLocked方法 attachApplicationLocked(thread, callingPid); Binder.restoreCallingIdentity(origId); } }
private final boolean attachApplicationLocked(IApplicationThread thread, int pid) { ...... thread.bindApplication(processName, appInfo, providers, app.instrumentationClass, profilerInfo, app.instrumentationArguments, app.instrumentationWatcher, app.instrumentationUiAutomationConnection, testMode, mBinderTransactionTrackingEnabled, enableTrackAllocation, isRestrictedBackupMode || !normalMode, app.persistent, new Configuration(mConfiguration), app.compat, getCommonServicesLocked(app.isolated), mCoreSettingsObserver.getCoreSettingsLocked()); ...... }
而IApplicationThread是什么呢?此地就不多说了,依旧是通过Binder通信来连接的IBinder,一个为ApplicationThreadProxy,另一个是ApplicationThread
因此最终调用的是ApplicationThread的bindApplication方法
ActivityThread.java
public final void bindApplication(String processName, ApplicationInfo appInfo, List<ProviderInfo> providers, ComponentName instrumentationName, ProfilerInfo profilerInfo, Bundle instrumentationArgs, IInstrumentationWatcher instrumentationWatcher, IUiAutomationConnection instrumentationUiConnection, int debugMode, boolean enableBinderTracking, boolean trackAllocation, boolean isRestrictedBackupMode, boolean persistent, Configuration config, CompatibilityInfo compatInfo, Map<String, IBinder> services, Bundle coreSettings) { if (services != null) { // Setup the service cache in the ServiceManager ServiceManager.initServiceCache(services); } setCoreSettings(coreSettings); AppBindData data = new AppBindData(); data.processName = processName; data.appInfo = appInfo; data.providers = providers; data.instrumentationName = instrumentationName; data.instrumentationArgs = instrumentationArgs; data.instrumentationWatcher = instrumentationWatcher; data.instrumentationUiAutomationConnection = instrumentationUiConnection; data.debugMode = debugMode; data.enableBinderTracking = enableBinderTracking; data.trackAllocation = trackAllocation; data.restrictedBackupMode = isRestrictedBackupMode; data.persistent = persistent; data.config = config; data.compatInfo = compatInfo; data.initProfilerInfo = profilerInfo; sendMessage(H.BIND_APPLICATION, data); }
public void handleMessage(Message msg) { if (DEBUG_MESSAGES) Slog.v(TAG, ">>> handling: " + codeToString(msg.what)); switch (msg.what) { ...... case BIND_APPLICATION: Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "bindApplication"); AppBindData data = (AppBindData)msg.obj; // Leo, 调用handleBindApplication方法 handleBindApplication(data); Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER); break; ...... } }调用handleBindApplication方法
private void handleBindApplication(AppBindData data) { ...... // Continue loading instrumentation. if (ii != null) { final ApplicationInfo instrApp = new ApplicationInfo(); ii.copyTo(instrApp); instrApp.initForUser(UserHandle.myUserId()); final LoadedApk pi = getPackageInfo(instrApp, data.compatInfo, appContext.getClassLoader(), false, true, false); final ContextImpl instrContext = ContextImpl.createAppContext(this, pi); try { final ClassLoader cl = instrContext.getClassLoader(); mInstrumentation = (Instrumentation) cl.loadClass(data.instrumentationName.getClassName()).newInstance(); } catch (Exception e) { throw new RuntimeException( "Unable to instantiate instrumentation " + data.instrumentationName + ": " + e.toString(), e); } final ComponentName component = new ComponentName(ii.packageName, ii.name); mInstrumentation.init(this, instrContext, appContext, component, data.instrumentationWatcher, data.instrumentationUiAutomationConnection); if (mProfiler.profileFile != null && !ii.handleProfiling && mProfiler.profileFd == null) { mProfiler.handlingProfiling = true; final File file = new File(mProfiler.profileFile); file.getParentFile().mkdirs(); Debug.startMethodTracing(file.toString(), 8 * 1024 * 1024); } } else { mInstrumentation = new Instrumentation(); } ...... try { mInstrumentation.callApplicationOnCreate(app); } catch (Exception e) { if (!mInstrumentation.onException(app, e)) { throw new RuntimeException( "Unable to create application " + app.getClass().getName() + ": " + e.toString(), e); } } ...... }最红调用到Instrumentation的callApplicationOnCreate方法中
public void callApplicationOnCreate(Application app) { app.onCreate(); }而我们知道,此处的Application代表的是PhoneApp应用信息,因此直接进入PhoneApp的oncreate方法,此时PhoneApp即已经启动