安卓Zygote详解
一、Zygote, 意为“受精卵”
,Android系统中几乎所有的应用进程都是由Zygote进程孵化出来的,Java环境也是由Zygote创建起来的,它建立了我们app运行所需要的环境,是app的祖先,因此,分析它的启动以及内部逻辑显得非常有必要。
*Android系统是基于Linux内核的,而在Linux系统中,所有的进程都是init进程的子孙进程,也就是说,所有的进程都是直接或者间接地由init进程fork出来的。Zygote进程也不例外,它是在系统启动的过程,由init进程创建的。在系统启动脚本system/core/rootdir/init.rc文件中,我们可以看到启动Zygote进程的脚本命令:
二、app_process对应的源码在frameworks/base/cmds/app_process目录下 ,其入口函数main在文件app_main.cpp中,接下来我们就从这个main函数入手来分析zygote的内部逻辑。
这个函数定义在frameworks/base/core/jni/AndroidRuntime.cpp文件中:
调用startVm函数创建虚拟机;
调用startReg函数注册Android Natvie函数;
让虚拟机去执行com.android.internal.os.ZygoteInit的main函数。
接下来分析下com.android.internal.os.ZygoteInit的main函数,frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
调用 registerZygoteSocket()创建一个套接字,用于监听ams发过来的fork请求;
调用preload()预加载classes 和resources;
调用startSystemServer()创建system server进程,ams wms pms等常见service都在该进程里面;
调用runSelectLoopMode()进入循环监听模式,监听外来请求。
1、 registerZygoteSocket
fork()创建子进程,父进程返回true。子进程执行RuntimeInit.zygoteInit。
@frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
2、startSystemServer
@frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
*zygoteInitNative:
@frameworks/base/core/jni/AndroidRuntime.cpp
@frameworks/base/services/java/com/android/server/SystemServer.java
*selectReadable()函数对应native函数为:com_android_internal_os_ZygoteInit_SelectReadable()
*在android中SystemService的启动是在Zygote进程创建好后进行的,并且由Zygote进程建立好DVM运行环境,加载ZygoteInit的main函数,最终调用Zygote的本地方法forkSystemServer,并执行linux的fork方法创建SystemServer进程。
*应用程序的进程也是由Zygote创建的,在ActivityManagerService中的startProcessLocked中调用了Process.start()方法。并通过连接调用Zygote的native方法forkAndSpecialize,执行fork任务。
*Android系统是基于Linux内核的,而在Linux系统中,所有的进程都是init进程的子孙进程,也就是说,所有的进程都是直接或者间接地由init进程fork出来的。Zygote进程也不例外,它是在系统启动的过程,由init进程创建的。在系统启动脚本system/core/rootdir/init.rc文件中,我们可以看到启动Zygote进程的脚本命令:
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
class main
socket zygote stream 660 root system # zygote需要一个套接字
onrestart write /sys/android_power/request_state wake # zygote重启的话,需要执行这个操作
onrestart write /sys/power/state on
onrestart restart media
onrestart restart netd二、app_process对应的源码在frameworks/base/cmds/app_process目录下 ,其入口函数main在文件app_main.cpp中,接下来我们就从这个main函数入手来分析zygote的内部逻辑。
int main(int argc, char* const argv[])
{
// These are global variables in ProcessState.cpp
mArgC = argc;
mArgV = argv;
mArgLen = 0;
for (int i=0; i这个函数定义在frameworks/base/core/jni/AndroidRuntime.cpp文件中:
// 首先明确下传进来的参数 className == "com.android.internal.os.ZygoteInit" options == "start-system-server"
void AndroidRuntime::start(const char* className, const char* options)
{
ALOGD("\n>>>>>> AndroidRuntime START %s <<<<<<\n",
className != NULL ? className : "(unknown)");
/*
* 'startSystemServer == true' means runtime is obsolete and not run from
* init.rc anymore, so we print out the boot start event here.
*/
if (strcmp(options, "start-system-server") == 0) {
/* track our progress through the boot sequence */
const int LOG_BOOT_PROGRESS_START = 3000;
LOG_EVENT_LONG(LOG_BOOT_PROGRESS_START,
ns2ms(systemTime(SYSTEM_TIME_MONOTONIC)));
}
const char* rootDir = getenv("ANDROID_ROOT");
if (rootDir == NULL) {
rootDir = "/system";
if (!hasDir("/system")) {
LOG_FATAL("No root directory specified, and /android does not exist.");
return;
}
setenv("ANDROID_ROOT", rootDir, 1); //配置ANDROID_ROOT环境变量
}
//const char* kernelHack = getenv("LD_ASSUME_KERNEL");
//ALOGD("Found LD_ASSUME_KERNEL='%s'\n", kernelHack);
/* start the virtual machine */
JniInvocation jni_invocation;
jni_invocation.Init(NULL);
JNIEnv* env;
if (startVm(&mJavaVM, &env) != 0) { // 创建虚拟机
return;
}
onVmCreated(env);
/*
* Register android functions.
*/
if (startReg(env) < 0) {
ALOGE("Unable to register all android natives\n");
return;
}
/*
* We want to call main() with a String array with arguments in it.
* At present we have two arguments, the class name and an option string.
* Create an array to hold them.
*/
jclass stringClass;
jobjectArray strArray;
jstring classNameStr;
jstring optionsStr;
stringClass = env->FindClass("java/lang/String");
assert(stringClass != NULL);
strArray = env->NewObjectArray(2, stringClass, NULL);
assert(strArray != NULL);
classNameStr = env->NewStringUTF(className);
assert(classNameStr != NULL);
env->SetObjectArrayElement(strArray, 0, classNameStr);
optionsStr = env->NewStringUTF(options);
env->SetObjectArrayElement(strArray, 1, optionsStr);
/*
* Start VM. This thread becomes the main thread of the VM, and will
* not return until the VM exits.
*/
char* slashClassName = toSlashClassName(className);
jclass startClass = env->FindClass(slashClassName);
if (startClass == NULL) {
ALOGE("JavaVM unable to locate class '%s'\n", slashClassName);
/* keep going */
} else {
jmethodID startMeth = env->GetStaticMethodID(startClass, "main",
"([Ljava/lang/String;)V");
if (startMeth == NULL) {
ALOGE("JavaVM unable to find main() in '%s'\n", className);
/* keep going */
} else {
/* 调用com.android.internal.os.ZygoteInit的main函数,strArray是参数,数组里面有两个元素,
className == "com.android.internal.os.ZygoteInit" options == "start-system-server" */
env->CallStaticVoidMethod(startClass, startMeth, strArray);
#if 0
if (env->ExceptionCheck())
threadExitUncaughtException(env);
#endif
}
}
free(slashClassName);
ALOGD("Shutting down VM\n");
if (mJavaVM->DetachCurrentThread() != JNI_OK)
ALOGW("Warning: unable to detach main thread\n");
if (mJavaVM->DestroyJavaVM() != 0)
ALOGW("Warning: VM did not shut down cleanly\n");
}调用startVm函数创建虚拟机;
调用startReg函数注册Android Natvie函数;
让虚拟机去执行com.android.internal.os.ZygoteInit的main函数。
接下来分析下com.android.internal.os.ZygoteInit的main函数,frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
public static void main(String argv[]) {
try {
// Start profiling the zygote initialization.
SamplingProfilerIntegration.start();
registerZygoteSocket(); // 1、创建一个套接字,用于监听ams发过来的fork请求
EventLog.writeEvent(LOG_BOOT_PROGRESS_PRELOAD_START,
SystemClock.uptimeMillis());
preload(); // 2、加载classes 和resources, 后面会详细分析
EventLog.writeEvent(LOG_BOOT_PROGRESS_PRELOAD_END,
SystemClock.uptimeMillis());
// Finish profiling the zygote initialization.
SamplingProfilerIntegration.writeZygoteSnapshot();
// Do an initial gc to clean up after startup
gc();
// If requested, start system server directly from Zygote
if (argv.length != 2) {
throw new RuntimeException(argv[0] + USAGE_STRING);
}
if (argv[1].equals("start-system-server")) {
startSystemServer(); //3、 创建system server进程,ams wms pms等常见service都在该进程里面
} else if (!argv[1].equals("")) {
throw new RuntimeException(argv[0] + USAGE_STRING);
}
Log.i(TAG, "Accepting command socket connections");
if (ZYGOTE_FORK_MODE) {
runForkMode();
} else {
runSelectLoopMode(); // 4、进入循环监听模式,监听外来请求
}
closeServerSocket();
} catch (MethodAndArgsCaller caller) {
caller.run();
} catch (RuntimeException ex) {
Log.e(TAG, "Zygote died with exception", ex);
closeServerSocket();
throw ex;
}
}调用 registerZygoteSocket()创建一个套接字,用于监听ams发过来的fork请求;
调用preload()预加载classes 和resources;
调用startSystemServer()创建system server进程,ams wms pms等常见service都在该进程里面;
调用runSelectLoopMode()进入循环监听模式,监听外来请求。
1、 registerZygoteSocket
fork()创建子进程,父进程返回true。子进程执行RuntimeInit.zygoteInit。
@frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
public class ZygoteInit {
...
private static LocalServerSocket sServerSocket;
private static final String ANDROID_SOCKET_ENV = "ANDROID_SOCKET_zygote";
private static void registerZygoteSocket() {
if(sServerSocket == NULL) {
int fileDesc;
String env = System.getenv(ANDROID_SOCKET_ENV); // 获取环境变量
fileDesc = Integer.parseInt(env);
sServerSocket = new LocalServerSocket(createFileDescriptor(fileDesc));
}
}
}
void service_start(struct service *svc, const char* dynamic_args)
{
...
pid = fork();
if ( pid == 0)
{
struct socketinfo *si;
...
for (si = svc->sockets; si; si = si->next) {
int socket_type = (!strcmp(si->type, "stream") ? SOCK_STREAM :
(!strcmp(si->type, "dgram") ? SOCK_DGRAM : SOCK_SEQPACKET));
int s = create_socket(si->name, socket_type, si->perm, si->uid, si->gid);
publish_socket(si->name, s);
}
}
...
}
#define ANDROID_SOCKET_ENV_PREFIX "ANDROID_SOCKET_"
#define ANDROID_SOCKET_DIR "/dev/socket"
static void publish_socket(const char *name, int fd)
{
char key[64] = ANDROID_SOCKET_ENV_PREFIX;
char val[64];
strlcpy(key + sizeof(ANDROID_SOCKET_ENV_PREFIX) -1, name, sizeof(key) - sizeof(ANDROID_SOCKET_ENV_PREFIX));
snprintf(val, sizeof(val), "%d", fd);
add_environment(key, val); // ANDROID_SOCKET_zygote = val
fcntl(fd, F_SETFD, 0);
}2、startSystemServer
@frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
private static boolean startSystemServer() {
String args[] = {
"--setuid=1000",
"--setgid=1000",
"--setgroups=1001,1002,1003,1004,1005,1006...",
"--capabilities=13010432,130104352",
"--runtime-init",
"--nice-name=system_server",
"com.android.server.SystemServer",
};
ZygoteConnection.Arguments parsedArgs = null;
parsedArgs = new ZygoteConnection.Arguments(args);
ZygoteConnection.applyDebuggerSystemProperty(parsedArgs);
ZygoteConnection.applyInvokeWithSystemProperty(parsedArgs);
int pid = Zygote.forkSystemServer(
parsedArgs.uid, parsedArgs.gid, parsedArgs.gids,
parsedArgs.debugFlags, null, parsedArgs.permittedCapabilities,
parsedArgs.effectiveCapabilities));
if (pid == 0) { // 子进程
handleSystemServerProcess(parsedArgs);
}
return true; // 父进程直接返回true
}public class ZygoteInit {
....
private static void handleSystemServerProcess(ZygoteConnection.Arguments parsedArgs) {
closeServerSocket(); // 子进程不需要zygote套接字,直接关闭
FileUtils.setUMask(FileUtils.S_IRWXG | FileUtils.S_IRWXO);
...
RuntimeInit.zygoteInit(parsedArgs.targetSdkVersion, parsedArgs.remainingArgs);
}
}
public class RuntimeInit {
...
public static final void zygoteInit(int targetSdkVersion, String[] argv) {
redirectLogStreams();
commonInit();
zygoteInitNative(); // 是一个native函数,主要完成Binder通信机制的初始化
applicationInit(targetSdkVersion, argv);
}
public static final native void zygoteInitNative();
private static void applicationInit(int targetSdkVersion, String[] argv) {
VMRuntime.getRuntime().setTargetHeapUtilizatoin(0.75f);
VMRuntime.getRuntime().setTargetSdkVersion(targetSdkVersion);
final Arguments args;
args = new Arguments(argv);
invokeStaticMain(args.startClass, args.startArgs);
}
// 这个 className = "com.android.server.SystemServer"
private static void invokeStaticMain(String className, String[] argv) {
Class cl;
cl = Class.forName(className);
Method m;
m = cl.getMethod("main", new Class[] {String[].class});
...
throw new ZygoteInit.MethodAndArgsCaller(m, argv);
}
}*zygoteInitNative:
@frameworks/base/core/jni/AndroidRuntime.cpp
static JNINativeMethod gMethods[] = {
....
{ "zygoteInitNative", "()V", (void*) com_android_internal_os_RuntimeInit_zygoteInit },
....
};
static void com_android_internal_os_RuntimeInit_zygoteInit(JNIEnv* env, jobject clazz)
{
gCurRuntime->onZygoteInit(); // 就是启动Binder通信
}
virtual void onZygoteInit()
{
sp proc = ProcessState::self(); // 每个进程一份ProcessState对象,打开Binder驱动
if(proc->supportsProcess()){
proc->startThreadPool(); // 启动一个线程用于Binder通信
}
} @frameworks/base/services/java/com/android/server/SystemServer.java
public class SystemServer {
native public static void init1(Strig[] args);
public static void main(String[] args) {
....
VMRuntime.getRuntime().setTargetHeapUtilization(0.8f);
System.loadLibrary("android_servers");
init1(args);
}
public static final void init2() {
Thread thr = new ServerThread();
thr.setName("android.server.ServerThread");
thr.start();
}
}static void android_server_SystemServer_init1(JNIEnv* env, jobject clazz)
{
system_init();
}
status_t system_init()
{
sp proc(ProcessState::self());
sp sm = defaultServiceManager();
...
AndroidRuntime* runtime = AndroidRuntime::getRuntime();
JNIEnv* env = rungime->getJNIEnv();
jclass clazz = env->FindClass("com/android/server/SystemServer");
jmethodID methodId = env->GetStaticMethodID(clazz, "init2", "()V");
env->CallStaticVoidMethod(clazz, methodId);
ProcessState::self()->startThreadPool();
IPCThreadState::self()->joinThreadPool();
return NO_ERROR;
} class ServerThread extends Thread {
...
public void run() {
Looper.prepare();
// Critical services ...
ServiceManager.addService(Context.POWER_SERVICE, new PoperManagerService());
ActivityManagerService.main();
PackageManagerService.main(context);
...
}
}3、runSelectLoopMode
public class ZygoteInit {
....
private static void runSelectLoopMode() throws MethodAndArgsCaller {
ArrayList fds = new ArrayList();
ArrayList peers = new ArrayList();
FileDescriptor[] fdArray = new FileDescriptor[4];
fds.add(sServerSocket.getFileDescriptor());
peers.add(NULL);
int loopCount = GC_LOOP_COUNT; // 10
while(true) {
fdArray = fds.toArray(fdArray);
index = selectReadble(fdArray); // 类似Linux下的select轮询,native 函数
if(index < 0) {
...
} else if(index == 0) { // 表示有客户端连接上
ZygoteConnection newPeer = acceptCommandPeer();
peers.add(newPeer);
fds.add(newPeer.getFileDescriptor());
} else { // 客户端发送了请求过来,交给ZygoteConnection的runOnce()函数完成
boolean done = peers.get(index).runOnce();
if(done) {
peers.remove(index);
fds.remove(index);
}
}
}
}
private static ZygoteConnection acceptCommandPeer() {
...
return new ZygoteConnection(sServerSocket.accept());
}
} *selectReadable()函数对应native函数为:com_android_internal_os_ZygoteInit_SelectReadable()
static jint com_android_internal_os_ZygoteInit_selectReadable (
JNIEnv *env, jobject clazz, jobjectArray fds)
{
if (fds == NULL) {
jniThrowNullPointerException(env, "fds == null");
return -1;
}
jsize length = env->GetArrayLength(fds);
fd_set fdset;
if (env->ExceptionOccurred() != NULL) {
return -1;
}
FD_ZERO(&fdset);
int nfds = 0;
for (jsize i = 0; i < length; i++) {
jobject fdObj = env->GetObjectArrayElement(fds, i);
if (env->ExceptionOccurred() != NULL) {
return -1;
}
if (fdObj == NULL) {
continue;
}
int fd = jniGetFDFromFileDescriptor(env, fdObj);
if (env->ExceptionOccurred() != NULL) {
return -1;
}
FD_SET(fd, &fdset);
if (fd >= nfds) {
nfds = fd + 1;
}
}
int err;
do {
err = select (nfds, &fdset, NULL, NULL, NULL);
} while (err < 0 && errno == EINTR);
if (err < 0) {
jniThrowIOException(env, errno);
return -1;
}
for (jsize i = 0; i < length; i++) {
jobject fdObj = env->GetObjectArrayElement(fds, i);
if (env->ExceptionOccurred() != NULL) {
return -1;
}
if (fdObj == NULL) {
continue;
}
int fd = jniGetFDFromFileDescriptor(env, fdObj);
if (env->ExceptionOccurred() != NULL) {
return -1;
}
if (FD_ISSET(fd, &fdset)) {
return (jint)i;
}
}
return -1;
}*在android中SystemService的启动是在Zygote进程创建好后进行的,并且由Zygote进程建立好DVM运行环境,加载ZygoteInit的main函数,最终调用Zygote的本地方法forkSystemServer,并执行linux的fork方法创建SystemServer进程。
*应用程序的进程也是由Zygote创建的,在ActivityManagerService中的startProcessLocked中调用了Process.start()方法。并通过连接调用Zygote的native方法forkAndSpecialize,执行fork任务。
*应用进程和服务进程位于不同的进程中,他们之间是通过IPC进行数据传递的。