跳转至

Android 基础知识

本文档收集一些理论性知识,较为零碎,但是最终编织成一张大网。

实践固然能极快的获得成就感,但唯有理论的积累才能让你走得更远。

Android 系统分层架构与启动流程

参考资料

相关链接

Android 是一个基于 Linux 内核的复杂操作系统。其启动过程是一个从硬件加电到显示应用界面的分层、接力过程。

1. 系统启动层

  • Boot ROM (引导只读存储器)

    • 当按下电源键时,CPU 首先会执行固化在 ROM 中的一小段代码。
    • 它会进行基本的硬件检查,然后找到并加载下一阶段的引导程序(Bootloader)到 RAM 中。

  • Bootloader (引导加载程序)

    • Bootloader 负责初始化更多的硬件(如内存、闪存)。
    • 最重要的是将 Android 的核心Linux Kernel从闪存加载到 RAM 中,然后跳转到内核代码开始执行。

2. 内核层

  • Linux Kernel (Linux 内核)
    • 这是 Android 系统的核心。内核启动后,它会接管 CPU,并开始初始化各种驱动程序(如显示、键盘、Wi-Fi)和核心系统功能(如进程管理、内存管理)。
    • 内核启动的最后一步,是在用户空间(User Space)中启动第一个进程,即 init 进程

3. 原生用户空间 (Native User Space)

  • init 进程
    • init 是 Android 系统中的第一个进程(PID 1),是所有其他用户空间进程的“祖先”。
    • 它会解析 .rc 结尾的初始化脚本文件(例如 init.rc)。
    • 根据这些脚本,init 进程会启动系统运行所需的各种原生服务(Daemons),例如 logd (日志服务)、vold (卷管理服务)等。
    • 启动了至关重要的进程:Zygote

4. Java 框架层 (Framework)

  • Zygote (受精卵) 进程

    • 核心功能: 启动 Java 虚拟机 (JVM/ART),预加载 Android 框架的核心 Java 类库和系统资源。
    • 通过fork自身来创建新的进程。由于核心类库已预加载,可以直接继承给App,这使得 App 的启动速度极快。这个过程又称为“孵化”。
    • Zygote 启动后首先会孵化出 System Server 进程。

  • System Server (系统服务进程)

    • System Server 是 Android 框架的核心。这是系统中第一个运行的 Java 进程。
    • 它负责启动和管理所有核心的系统服务。
    • System Server 启动完成后,Android 系统真正“准备就绪”,并会发送 BOOT_COMPLETED 广播,同时启动 Launcher(桌面应用)。

5. 应用层 (App)

  • App (应用程序) 进程
    • 当点击一个应用时,Launcher 会通知 Activity Manager Service (在 System Server 进程中)。
    • AMS 会检查该应用是否已有进程,如果没有,它会请求 Zygote 进程。
    • Zygote 收到请求后,会孵化出一个继承了 Zygote 预加载的虚拟机和核心资源的子进程,即为该应用进程,然后加载应用代码,启动应用的 Activity

Android 系统交互机制

  • SysCall (System Call - 系统调用)

    • 这是用户空间(包括 initZygote、App)与 Linux 内核 交互的唯一桥梁。
    • 当 App 需要访问硬件(如读写文件、打开摄像头、发送网络数据)时,它不能直接操作,必须通过 SysCall 向内核发出请求,由内核代为完成,以保证系统安全和稳定。

  • JNI (Java Native Interface - Java 本地接口)

    • 这是 Android 中 Java 代码与 C/C++(Native)代码交互的桥梁。
    • Android 的框架层(如 System Server)和应用(App)主要是用 Java 编写的,但它们需要调用底层的系统功能(例如图形渲染、硬件访问),这些功能通常由 C/C++ 实现。
    • 流程: Java 代码 (App) → JNI → C/C++ (Native 库) → SysCall → Linux 内核。

  • Binder (进程间通信)

    • 这是 Android 特有的高性能进程间通信(IPC)机制。
    • 它在 Android 中无处不在:
      • App 与 System Server(AMS, PMS 等)之间的通信。
      • App 与 App 之间的通信。

Zygote

参考资料

相关链接

在 Android 启动流程中,我们已经简要介绍了 Zygote 进程的作用。大名鼎鼎的 Xposed 框架正是通过 Hook Zygote 来实现对所有 App 的代码注入。 因此我们来从代码仔细深入了解下 Zygote 的工作原理。

无特殊说明,以下源码均基于 Android 16.0.0_r2 源码 分析

Zygote 启动流程

1. init 进程启动 app_process

按照我们之前的介绍,Zygote 是由 init 进程启动的。我们可以在 init.rc 中找到对应启动:

/system/core/rootdir/init.rc
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
#line 526:528
    # Now we can start zygote.
    trigger zygote-start

#line 1087:1095
# to start-zygote in device's init.rc to unblock zygote start.
on zygote-start
    wait_for_prop odsign.verification.done 1
    # A/B update verifier that marks a successful boot.
    exec_start update_verifier
    start statsd
    start zygote
    start zygote_secondary
系统会启动 zygote 和 zygote_secondary 服务。这两个服务声明于以下配置文件中:

/system/core/rootdir/init.zygote32.rc
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
    class main
    priority -20
    user root
    group root readproc reserved_disk
    socket zygote stream 660 root system
    socket usap_pool_primary stream 660 root system
    onrestart exec_background - system system -- /system/bin/vdc volume abort_fuse
    onrestart write /sys/power/state on
    # NOTE: If the wakelock name here is changed, then also
    # update it in SystemSuspend.cpp
    onrestart write /sys/power/wake_lock zygote_kwl
    onrestart restart audioserver
    onrestart restart cameraserver
    onrestart restart media
    onrestart restart --only-if-running media.tuner
    onrestart restart netd
    onrestart restart wificond
    task_profiles ProcessCapacityHigh MaxPerformance
    critical window=${zygote.critical_window.minute:-off} target=zygote-fatal
/system/core/rootdir/init.zygote64.rc
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-system-server --socket-name=zygote
    class main
    priority -20
    user root
    group root readproc reserved_disk
    socket zygote stream 660 root system
    socket usap_pool_primary stream 660 root system
    onrestart exec_background - system system -- /system/bin/vdc volume abort_fuse
    onrestart write /sys/power/state on
    # NOTE: If the wakelock name here is changed, then also
    # update it in SystemSuspend.cpp
    onrestart write /sys/power/wake_lock zygote_kwl
    onrestart restart audioserver
    onrestart restart cameraserver
    onrestart restart media
    onrestart restart --only-if-running media.tuner
    onrestart restart netd
    onrestart restart wificond
    task_profiles ProcessCapacityHigh MaxPerformance
    critical window=${zygote.critical_window.minute:-off} target=zygote-fatal
/system/core/rootdir/init.zygote64_32.rc
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
import /system/etc/init/hw/init.zygote64.rc

service zygote_secondary /system/bin/app_process32 -Xzygote /system/bin --zygote --socket-name=zygote_secondary --enable-lazy-preload
    class main
    priority -20
    user root
    group root readproc reserved_disk
    socket zygote_secondary stream 660 root system
    socket usap_pool_secondary stream 660 root system
    onrestart restart zygote
    task_profiles ProcessCapacityHigh MaxPerformance

可以看出,zygote 服务会启动 /system/bin/app_process(64) 进程,附带的参数是--zygote --start-system-server

2. app_process 启动 ZygoteInit

源码网站上并没有这个文件,我从 Android 9 的实体机中提取了这个文件,是一个 ELF 文件,IDA 启动。

/system/bin/app_process64 main()
1
2
3
4
5
6
7
  if ( (v55 & 0x100000000LL) != 0 )
  {
    p_com.android.internal.os.RuntimeInit = "com.android.internal.os.ZygoteInit";
    v42 = 1;
  }
  // ...
  android::AndroidRuntime::start(v61, p_com.android.internal.os.RuntimeInit, v58, v42);
在经过一系列参数比对后,启动了java层com.android.internal.os.ZygoteInit

app_process 对应的源码是 app_main.cpp

/frameworks/base/cmds/app_process/app_main.cpp
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
    ++i;  // Skip unused "parent dir" argument.
    while (i < argc) {
        const char* arg = argv[i++];
        if (strcmp(arg, "--zygote") == 0) {
            zygote = true;
            niceName = ZYGOTE_NICE_NAME;
        } else if (strcmp(arg, "--start-system-server") == 0) {
            startSystemServer = true;
        } else if (strcmp(arg, "--application") == 0) {
            application = true;
        } else if (strncmp(arg, "--nice-name=", 12) == 0) {
            niceName = (arg + 12);
        } else if (strncmp(arg, "--", 2) != 0) {
            className = arg;
            break;
        } else {
            --i;
            break;
        }
    }
//...
        if (startSystemServer) {
            args.add(String8("start-system-server"));
        }
//...
    if (zygote) {
        runtime.start("com.android.internal.os.ZygoteInit", args, zygote);
    } else if (!className.empty()) {
        runtime.start("com.android.internal.os.RuntimeInit", args, zygote);
    } else {
        fprintf(stderr, "Error: no class name or --zygote supplied.\n");
        app_usage();
        LOG_ALWAYS_FATAL("app_process: no class name or --zygote supplied.");
    }

可以看出,在--zygote --start-system-server参数下,最终会启动Java层的 com.android.internal.os.ZygoteInit 类,并将start-system-server放在arg中传入。

应用进程孵化流程

1. ZygoteInit:承上启下

我们回到Android 16.0.0_r2源码中查看这个类:

/frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
// 检查参数 line 848:860
            for (int i = 1; i < argv.length; i++) {
                if ("start-system-server".equals(argv[i])) {
                    startSystemServer = true;
                } else if ("--enable-lazy-preload".equals(argv[i])) {
                    enableLazyPreload = true;
                } else if (argv[i].startsWith(ABI_LIST_ARG)) {
                    abiList = argv[i].substring(ABI_LIST_ARG.length());
                } else if (argv[i].startsWith(SOCKET_NAME_ARG)) {
                    zygoteSocketName = argv[i].substring(SOCKET_NAME_ARG.length());
                } else {
                    throw new RuntimeException("Unknown command line argument: " + argv[i]);
                }
            }
// 预加载资源供后续孵化用 line 879:889
            // In some configurations, we avoid preloading resources and classes eagerly.
            // In such cases, we will preload things prior to our first fork.
            if (!enableLazyPreload) {
                bootTimingsTraceLog.traceBegin("ZygotePreload");
                EventLog.writeEvent(LOG_BOOT_PROGRESS_PRELOAD_START,
                        SystemClock.uptimeMillis());
                preload(bootTimingsTraceLog);
                EventLog.writeEvent(LOG_BOOT_PROGRESS_PRELOAD_END,
                        SystemClock.uptimeMillis());
                bootTimingsTraceLog.traceEnd(); // ZygotePreload
            }
// 孵化 SystemServer line 984:913
            if (startSystemServer) {
                Runnable r = forkSystemServer(abiList, zygoteSocketName, zygoteServer);

                // {@code r == null} in the parent (zygote) process, and {@code r != null} in the
                // child (system_server) process.
                if (r != null) {
                    r.run();
                    return;
                }
            }
// 循环等待创建请求 line 917:919
            // The select loop returns early in the child process after a fork and
            // loops forever in the zygote.
            caller = zygoteServer.runSelectLoop(abiList);

ZygoteInit 在完成预加载、孵化 SystemServer 后,会通过 zygoteServer.runSelectLoop 方法启动一个循环,持续监听来自 AMS 的创建新应用进程的请求。

2. Java 层:请求处理与 Fork

Zygote 收到新进程创建请求时,处理流程如下:

  1. ZygoteServer 监听请求
    runSelectLoop 方法负责监听和管理请求,并将具体的处理工作交给 ZygoteConnection

    /frameworks/base/core/java/com/android/internal/os/ZygoteServer.java
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
    // runSelectLoop 方法 line 508:521
                    if (pollIndex == 0) {
                        // Zygote server socket
                        ZygoteConnection newPeer = acceptCommandPeer(abiList);
                        peers.add(newPeer);
                        socketFDs.add(newPeer.getFileDescriptor());
                    } else if (pollIndex < usapPoolEventFDIndex) {
                        // Session socket accepted from the Zygote server socket

                        try {
                            ZygoteConnection connection = peers.get(pollIndex);
                            boolean multipleForksOK = !isUsapPoolEnabled()
                                    && ZygoteHooks.isIndefiniteThreadSuspensionSafe();
                            final Runnable command =
                                    connection.processCommand(this, multipleForksOK);

  2. ZygoteConnection 处理连接
    ZygoteConnection 负责解析请求参数,并调用 Zygote.forkAndSpecialize 来执行 fork 操作。

    /frameworks/base/core/java/com/android/internal/os/ZygoteConnection.java
    1
2
3
4
5
    // 可以看到调用 Native 层的 fork 逻辑 line 234:237
        pid = Zygote.forkAndSpecialize(parsedArgs.uid, parsedArgs.gid, parsedArgs.gids,
                parsedArgs.runtimeFlags, rlimits, parsedArgs.mountExternal, parsedArgs.seInfo,
                parsedArgs.niceName, fdsToClose, fdsToIgnore, parsedArgs.startChildZygote,
                parsedArgs.instructionSet, parsedArgs.appDataDir);

  3. Zygote 执行 Fork
    forkAndSpecialize 方法会调用 native 方法 nativeForkAndSpecialize 来真正执行 fork

    我们可以对比一下孵化普通应用进程 (forkAndSpecialize) 和孵化 SystemServer (forkSystemServer) 的代码,它们最终都依赖 native 方法。

    /frameworks/base/core/java/com/android/internal/os/Zygote.java
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
    // line 368:403
    static int forkAndSpecialize(int uid, int gid, int[] gids, int runtimeFlags,
            int[][] rlimits, int mountExternal, String seInfo, String niceName, int[] fdsToClose,
            int[] fdsToIgnore, boolean startChildZygote, String instructionSet, String appDataDir,
            boolean isTopApp, String[] pkgDataInfoList, String[] allowlistedDataInfoList,
            boolean bindMountAppDataDirs, boolean bindMountAppStorageDirs,
            boolean bindMountSyspropOverrides) {
        ZygoteHooks.preFork();

        int pid = nativeForkAndSpecialize(
                uid, gid, gids, runtimeFlags, rlimits, mountExternal, seInfo, niceName, fdsToClose,
                fdsToIgnore, startChildZygote, instructionSet, appDataDir, isTopApp,
                pkgDataInfoList, allowlistedDataInfoList, bindMountAppDataDirs,
                bindMountAppStorageDirs, bindMountSyspropOverrides);
        if (pid == 0) {
            // Note that this event ends at the end of handleChildProc,
            Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "PostFork");

            // If no GIDs were specified, don't make any permissions changes based on groups.
            if (gids != null && gids.length > 0) {
                NetworkUtilsInternal.setAllowNetworkingForProcess(containsInetGid(gids));
            }
        }

        // Set the Java Language thread priority to the default value for new apps.
        Thread.currentThread().setPriority(Thread.NORM_PRIORITY);

        ZygoteHooks.postForkCommon();
        return pid;
    }

    private static native int nativeForkAndSpecialize(int uid, int gid, int[] gids,
            int runtimeFlags, int[][] rlimits, int mountExternal, String seInfo, String niceName,
            int[] fdsToClose, int[] fdsToIgnore, boolean startChildZygote, String instructionSet,
            String appDataDir, boolean isTopApp, String[] pkgDataInfoList,
            String[] allowlistedDataInfoList, boolean bindMountAppDataDirs,
            boolean bindMountAppStorageDirs, boolean bindMountSyspropOverrides);
    /frameworks/base/core/java/com/android/internal/os/Zygote.java
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
    // line 501:517
    static int forkSystemServer(int uid, int gid, int[] gids, int runtimeFlags,
            int[][] rlimits, long permittedCapabilities, long effectiveCapabilities) {
        ZygoteHooks.preFork();

        int pid = nativeForkSystemServer(
                uid, gid, gids, runtimeFlags, rlimits,
                permittedCapabilities, effectiveCapabilities);

        // Set the Java Language thread priority to the default value for new apps.
        Thread.currentThread().setPriority(Thread.NORM_PRIORITY);

        ZygoteHooks.postForkCommon();
        return pid;
    }

    private static native int nativeForkSystemServer(int uid, int gid, int[] gids, int runtimeFlags,
            int[][] rlimits, long permittedCapabilities, long effectiveCapabilities);

3. Native 层:执行 Fork

Java 层的 native 方法最终会调用到 C++ 层的 ForkCommon 函数来完成进程的创建。

/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
// line 2529:2584
NO_STACK_PROTECTOR
static jint com_android_internal_os_Zygote_nativeForkAndSpecialize(
        JNIEnv* env, jclass, jint uid, jint gid, jintArray gids, jint runtime_flags,
        jobjectArray rlimits, jint mount_external, jstring se_info, jstring nice_name,
        jintArray managed_fds_to_close, jintArray managed_fds_to_ignore, jboolean is_child_zygote,
        jstring instruction_set, jstring app_data_dir, jboolean is_top_app,
        jobjectArray pkg_data_info_list, jobjectArray allowlisted_data_info_list,
        jboolean mount_data_dirs, jboolean mount_storage_dirs, jboolean mount_sysprop_overrides) {
    jlong capabilities = CalculateCapabilities(env, uid, gid, gids, is_child_zygote);
    jlong bounding_capabilities = CalculateBoundingCapabilities(env, uid, gid, gids);

    if (UNLIKELY(managed_fds_to_close == nullptr)) {
      zygote::ZygoteFailure(env, "zygote", nice_name,
                            "Zygote received a null fds_to_close vector.");
    }

    std::vector<int> fds_to_close =
        ExtractJIntArray(env, "zygote", nice_name, managed_fds_to_close).value();
    std::vector<int> fds_to_ignore =
        ExtractJIntArray(env, "zygote", nice_name, managed_fds_to_ignore)
            .value_or(std::vector<int>());

    std::vector<int> usap_pipes = MakeUsapPipeReadFDVector();

    fds_to_close.insert(fds_to_close.end(), usap_pipes.begin(), usap_pipes.end());
    fds_to_ignore.insert(fds_to_ignore.end(), usap_pipes.begin(), usap_pipes.end());

    fds_to_close.push_back(gUsapPoolSocketFD);

    if (gUsapPoolEventFD != -1) {
      fds_to_close.push_back(gUsapPoolEventFD);
      fds_to_ignore.push_back(gUsapPoolEventFD);
    }

    if (gSystemServerSocketFd != -1) {
        fds_to_close.push_back(gSystemServerSocketFd);
        fds_to_ignore.push_back(gSystemServerSocketFd);
    }

    if (gPreloadFds && gPreloadFdsExtracted) {
        fds_to_ignore.insert(fds_to_ignore.end(), gPreloadFds->begin(), gPreloadFds->end());
    }

    pid_t pid = zygote::ForkCommon(env, /* is_system_server= */ false, fds_to_close, fds_to_ignore,
                                   true);

    if (pid == 0) {
        SpecializeCommon(env, uid, gid, gids, runtime_flags, rlimits, capabilities, capabilities,
                         bounding_capabilities, mount_external, se_info, nice_name, false,
                         is_child_zygote == JNI_TRUE, instruction_set, app_data_dir,
                         is_top_app == JNI_TRUE, pkg_data_info_list, allowlisted_data_info_list,
                         mount_data_dirs == JNI_TRUE, mount_storage_dirs == JNI_TRUE,
                         mount_sysprop_overrides == JNI_TRUE);
    }
    return pid;
}
/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
// line 2586:2642
NO_STACK_PROTECTOR
static jint com_android_internal_os_Zygote_nativeForkSystemServer(
        JNIEnv* env, jclass, uid_t uid, gid_t gid, jintArray gids,
        jint runtime_flags, jobjectArray rlimits, jlong permitted_capabilities,
        jlong effective_capabilities) {
  ATRACE_CALL();
  std::vector<int> fds_to_close(MakeUsapPipeReadFDVector()),
                   fds_to_ignore(fds_to_close);

  fds_to_close.push_back(gUsapPoolSocketFD);

  if (gUsapPoolEventFD != -1) {
    fds_to_close.push_back(gUsapPoolEventFD);
    fds_to_ignore.push_back(gUsapPoolEventFD);
  }

  if (gSystemServerSocketFd != -1) {
      fds_to_close.push_back(gSystemServerSocketFd);
      fds_to_ignore.push_back(gSystemServerSocketFd);
  }

  pid_t pid = zygote::ForkCommon(env, true,
                                 fds_to_close,
                                 fds_to_ignore,
                                 true);
  if (pid == 0) {
      // System server prcoess does not need data isolation so no need to
      // know pkg_data_info_list.
      SpecializeCommon(env, uid, gid, gids, runtime_flags, rlimits, permitted_capabilities,
                       effective_capabilities, 0, MOUNT_EXTERNAL_DEFAULT, nullptr, nullptr, true,
                       false, nullptr, nullptr, /* is_top_app= */ false,
                       /* pkg_data_info_list */ nullptr,
                       /* allowlisted_data_info_list */ nullptr, false, false, false);
  } else if (pid > 0) {
      // The zygote process checks whether the child process has died or not.
      ALOGI("System server process %d has been created", pid);
      gSystemServerPid = pid;
      // There is a slight window that the system server process has crashed
      // but it went unnoticed because we haven't published its pid yet. So
      // we recheck here just to make sure that all is well.
      int status;
      if (waitpid(pid, &status, WNOHANG) == pid) {
          ALOGE("System server process %d has died. Restarting Zygote!", pid);
          RuntimeAbort(env, __LINE__, "System server process has died. Restarting Zygote!");
      }

      if (UsePerAppMemcg()) {
          // Assign system_server to the correct memory cgroup.
          // Not all devices mount memcg so check if it is mounted first
          // to avoid unnecessarily printing errors and denials in the logs.
          if (!SetTaskProfiles(pid, std::vector<std::string>{"SystemMemoryProcess"})) {
              ALOGE("couldn't add process %d into system memcg group", pid);
          }
      }
  }
  return pid;
}

可以看到,它们都调用了 ForkCommon 方法。至此我们可以全心投入常规进程的孵化分析,而 SystemServer 的差异我们放在后续讨论。

我们来看 ForkCommon 的实现方法,我们先沿着进程的创建这条主线来一路看下去:

/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
// line 2421:2523
// Utility routine to fork a process from the zygote.
NO_STACK_PROTECTOR
pid_t zygote::ForkCommon(JNIEnv* env, bool is_system_server,
                         const std::vector<int>& fds_to_close,
                         const std::vector<int>& fds_to_ignore,
                         bool is_priority_fork,
                         bool purge) {
//...
  pid_t pid = fork();

  if (pid == 0) {
    if (is_priority_fork) {
      setpriority(PRIO_PROCESS, 0, PROCESS_PRIORITY_MAX);
    } else {
      setpriority(PRIO_PROCESS, 0, PROCESS_PRIORITY_MIN);
    }
//...
  return pid;
}

ForkCommon 调用了 fork() 方法,并且接受了返回的 pid。

4. libc 层:从 Native 陷入 内核态

这里的 fork 方法来源于 libc。其实这里已经是 linux 通用的系统调用流程了,但是既然到这里,就一路往下吧。

libc(C标准库)可以被看作是应用程序与 Linux 内核之间的一个“翻译层”或“接口层”。

/bionic/libc/bionic/fork.cpp
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
// line
__BIONIC_WEAK_FOR_NATIVE_BRIDGE_INLINE
int __clone_for_fork() {
  pthread_internal_t* self = __get_thread();

  int result = clone(nullptr, nullptr, (CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD),
                     nullptr, nullptr, nullptr, &(self->tid));

  if (result == 0) {
    // Update the cached pid in child, since clone() will not set it directly (as
    // self->tid is updated by the kernel).
    self->set_cached_pid(gettid());
  }

  return result;
}

int _Fork() {
  return __clone_for_fork();
}

int fork() {
  __bionic_atfork_run_prepare();
  int result = _Fork();
  if (result == 0) {
    // Disable fdsan and fdtrack post-fork, so we don't falsely trigger on processes that
    // fork, close all of their fds, and then exec.
    android_fdsan_set_error_level(ANDROID_FDSAN_ERROR_LEVEL_DISABLED);
    android_fdtrack_set_globally_enabled(false);

    // Reset the stack_and_tls VMA name so it doesn't end with a tid from the
    // parent process.
    __set_stack_and_tls_vma_name(true);

    __bionic_atfork_run_child();
  } else {
    __bionic_atfork_run_parent();
  }
  return result;
}

调用的 libc 的 clone 方法:

/bionic/libc/bionic/clone.cpp
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
// line
__BIONIC_WEAK_FOR_NATIVE_BRIDGE
int clone(int (*fn)(void*), void* child_stack, int flags, void* arg, ...) {
  int* parent_tid = nullptr;
  void* new_tls = nullptr;
  int* child_tid = nullptr;
//...
  // Actually do the clone.
  int clone_result;
  if (fn != nullptr) {
    clone_result = __bionic_clone(flags, child_stack, parent_tid, new_tls, child_tid, fn, arg);
  } else {
#if defined(__x86_64__) // sys_clone's last two arguments are flipped on x86-64.
    clone_result = syscall(__NR_clone, flags, child_stack, parent_tid, child_tid, new_tls);
#else
    clone_result = syscall(__NR_clone, flags, child_stack, parent_tid, new_tls, child_tid);
#endif
  }

在这里我们看到了是调用了 syscall 方法。在深入就是内核的事情了,这里我们就不继续深入了。 下面我们来看看 System Server 的孵化以及正常应用的启动流程。

System Server

应用启动流程

1. 为什么你能点开一个 App?

我们每天看到的桌面实际上也是一个 App,叫做 Launcher(启动器),位于 /packages/apps/Launcher3/。 图标点击事件由 BubbleTextView 或 ShortcutAndWidgetContainer 传递到 Launcher,再走 startActivitySafely() → AMS。

Launcher3 启动 App 代码
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
@Override
public RunnableList startActivitySafely(View v, Intent intent, ItemInfo item) {
    if (!hasBeenResumed()) {
        RunnableList result = new RunnableList();
        // Workaround an issue where the WM launch animation is clobbered when finishing the
        // recents animation into launcher. Defer launching the activity until Launcher is
        // next resumed.
        addEventCallback(EVENT_RESUMED, () -> {
            RunnableList actualResult = startActivitySafely(v, intent, item);
            if (actualResult != null) {
                actualResult.add(result::executeAllAndDestroy);
            } else {
                result.executeAllAndDestroy();
            }
        });
        if (mOnDeferredActivityLaunchCallback != null) {
            mOnDeferredActivityLaunchCallback.run();
            mOnDeferredActivityLaunchCallback = null;
        }
        return result;
    }

    RunnableList result = super.startActivitySafely(v, intent, item);
    if (result != null && v instanceof BubbleTextView) {
        // This is set to the view that launched the activity that navigated the user away
        // from launcher. Since there is no callback for when the activity has finished
        // launching, enable the press state and keep this reference to reset the press
        // state when we return to launcher.
        BubbleTextView btv = (BubbleTextView) v;
        btv.setStayPressed(true);
        result.add(() -> btv.setStayPressed(false));
    }
    return result;
}

Xposed

参考资料