zygote64位和system_server进程的启动篇

备注:以下代码均是基于Android8.0分析的,大部分都是精简过的代码,便于理解
先上个流程图和时序图
流程图如下


zygote进程启动过程.png

时序图如下


zygote启动时序图.png

一. init进程以及init.rc解析

init进程是Android的的第一个进程,进程id是1,启动时执行入口main函数,解析init.rc文件,并执行相关的指令

1. init.rc语法和规则

init.rc:是由一种被称为“Android初始化语言”(Android Init Language,这里简称为AIL)的脚本写成的文件,它有自己语法和解析规则init.rc解析

下面看下init.rc的内容,为了方便阅读,给出一个精简版的关键内容

## Copyright (C) 2012 The Android Open Source Project
##
## IMPORTANT: Do not create world writable files or directories.
## This is a common source of Android security bugs.
##

import /init.environ.rc
import /init.usb.rc
import /init.${ro.hardware}.rc
import /vendor/etc/init/hw/init.${ro.hardware}.rc
import /init.usb.configfs.rc
##import /init.${ro.zygote}.rc

service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-system-server
    class main   //option
    priority -20 //option
    user root  //option
    group root readproc
    socket zygote stream 660 root system
    onrestart write /sys/android_power/request_state wake
    onrestart write /sys/power/state on
    onrestart restart audioserver
    onrestart restart cameraserver
    onrestart restart media
    onrestart restart netd
    onrestart restart wificond
    writepid /dev/cpuset/foreground/tasks、
    
on early-init //监听事件
    *************
on init //监听事件
    *************
on property:sys.boot_from_charger_mode=1 //监听事件
    class_stop charger
    trigger late-init

## Mount filesystems and start core system services.
on late-init //监听事件

    ## Now we can start zygote for devices with file based encryption
    trigger zygote-start  //command
    
on zygote-start && property:ro.crypto.state=unsupported
    ## A/B update verifier that marks a successful boot.
    exec_start update_verifier_nonencrypted //command
    start netd //command
    start zygote //command
    start zygote_secondary //command

说明
service关键字表示创建一个服务,
service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-system-server
表示创建一个名为zygote的服务,其实就是进程,执行文件是/system/bin/app_process64,后面的就是执行时携带参数,这个后续再解析中再讲,注意这只是创建服务,但是还没启动

on是表示监听某些事件,当事件发生触发时,执行下面的指令
比如
on late-init
## Now we can start zygote for devices with file based encryption
trigger zygote-start
表示late-init触发时,触发zygote-start事件

trigger:顾名思义,表示触发某个事件
这样的话
其实大概可以理清zygote在init.rc的启动过程
late-init->zygote-start->start zygote
其中late-init可能是property:sys.boot_from_charger_mode=1触发的,也可能是其他地方触发的,下面的讲解会提到

2. init.rc的解析

下面再看看具体是怎么解析和执行init.rc
精简的关键代码如下
代码路径:system/core/init/init.cpp

int main(int argc, char** argv) {
    //省略代码
     Parser& parser = Parser::GetInstance();
    parser.AddSectionParser("service",std::make_unique());
    parser.AddSectionParser("on", std::make_unique());
    parser.AddSectionParser("import", std::make_unique());
     //省略代码
     parser.ParseConfig("/init.rc");
     ActionManager& am = ActionManager::GetInstance();

    am.QueueEventTrigger("early-init");
     //省略代码
    // Trigger all the boot actions to get us started.
    am.QueueEventTrigger("init");
     //省略代码

    // Don't mount filesystems or start core system services in charger mode.
    std::string bootmode = GetProperty("ro.bootmode", "");
    if (bootmode == "charger") {
        am.QueueEventTrigger("charger");
    } else {
        am.QueueEventTrigger("late-init");
    }

    // Run all property triggers based on current state of the properties.
    am.QueueBuiltinAction(queue_property_triggers_action, "queue_property_triggers");

    while (true) {
        // By default, sleep until something happens.
        int epoll_timeout_ms = -1;

        if (!(waiting_for_prop || ServiceManager::GetInstance().IsWaitingForExec())) {
            am.ExecuteOneCommand();
        }
       //省略代码
    }
    return 0;
}

从代码上看,主要分为两部分

2.1 解析

可以看出有三个解析器分别是seriver,on和import,分为解析相关的关键字,这个跟init.rc的结构大体一致

将事件放到队列中,然后按顺序执行,这里面都是执行的初始化相关的事件,包括上面说的late-init这样的话,它就按照init.rc的规则,链式触发相关事件或者执行相关动作

再来看一看parse部分,这里主要看service的parser
先看parse解析器
代码路径:system/core/init/init_parser.cpp

void Parser::ParseData(const std::string& filename, const std::string& data) {
    //TODO: Use a parser with const input and remove this copy
    std::vector data_copy(data.begin(), data.end());
    data_copy.push_back('\0');

    parse_state state;
    state.filename = filename.c_str();
    state.line = 0;
    state.ptr = &data_copy[0];
    state.nexttoken = 0;

    SectionParser* section_parser = nullptr;
    std::vector args;

    for (;;) {
        switch (next_token(&state)) {
        case T_EOF:
            if (section_parser) {
                section_parser->EndSection();
            }
            return;
        case T_NEWLINE:
            state.line++;
            if (args.empty()) {
                break;
            }
            if (section_parsers_.count(args[0])) {
                if (section_parser) 
                   //遇到下一个关键字,即该关键字对应的分段解析结束
                    section_parser->EndSection();
                }
               //获取对应关键字的解析器。比如service/on/import
                section_parser = section_parsers_[args[0]].get();
                std::string ret_err;
                //解析关键字对应的行
                if (!section_parser->ParseSection(args, &ret_err)) {
                    parse_error(&state, "%s\n", ret_err.c_str());
                    section_parser = nullptr;
                }
            } else if (section_parser) {
                std::string ret_err;
               //解析关键字下面的内容,也就是init.rc中的option和Commands内容
                if (!section_parser->ParseLineSection(args, state.filename,
                                                      state.line, &ret_err)) {
                    parse_error(&state, "%s\n", ret_err.c_str());
                }
            }
            args.clear();
            break;
        case T_TEXT:
            args.emplace_back(state.text);
            break;
        }
    }
}

代码很简单,解析init.rc里面的内容,遇到关键字是就转给关键字相关的解析器解析

再来看下service的解析器
代码路径:system/core/init/service.cpp

//解析service中option的解析规则,精简代码
Service::OptionParserMap::Map& Service::OptionParserMap::map() const {
    constexpr std::size_t kMax = std::numeric_limits::max();
    // clang-format off
    static const Map option_parsers = {
        {"capabilities",
                        {1,     kMax, &Service::ParseCapabilities}},
        {"class",       {1,     kMax, &Service::ParseClass}},
        {"oneshot",     {0,     0,    &Service::ParseOneshot}},
        {"onrestart",   {1,     kMax, &Service::ParseOnrestart}},
    };
    // clang-format on
    return option_parsers;
}


//解析service开头部分,主要是创建个Service
bool ServiceParser::ParseSection(const std::vector& args,
                                 std::string* err) {
    if (args.size() < 3) {
        *err = "services must have a name and a program";
        return false;
    }

    const std::string& name = args[1];
    if (!IsValidName(name)) {
        *err = StringPrintf("invalid service name '%s'", name.c_str());
        return false;
    }

    std::vector str_args(args.begin() + 2, args.end());
//init.rc的service语法
//service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-system-server
//构造一个service,构造参数
//name:zygote
//str_args:/system/bin/app_process64 -Xzygote /system/bin --zygote --start-system-server
    service_ = std::make_unique(name, str_args);
    return true;
}


//解析option或者comond的内容
/**栗子
  class main
    onrestart write /sys/power/state on
    writepid /dev/cpuset/foreground/tasks
**/
bool ServiceParser::ParseLineSection(const std::vector& args,
                                     const std::string& filename, int line,
                                     std::string* err) const {
    return service_ ? service_->ParseLine(args, err) : false;
}

//解析onrestart,就是把option内容分为放在service中对应的数据中,其他的option就不一一列举了
bool Service::ParseOnrestart(const std::vector& args, std::string* err) {
    std::vector str_args(args.begin() + 1, args.end());
    onrestart_.AddCommand(str_args, "", 0, err);
    return true;
}

//service关键字解析结束,将service加到vector容器中
void ServiceParser::EndSection() {
    if (service_) {
        ServiceManager::GetInstance().AddService(std::move(service_));
    }
}
至此service的部分解析结束

2.2 触发事件

am.QueueEventTrigger("early-init");
am.QueueEventTrigger("init");
am.QueueEventTrigger("late-init");
am.ExecuteOneCommand();

二. zygote服务(进程)的启动

1. 相关数据结构

从第一章节的2.2小节可以看到,解析完成之后触发一些事件,对于zygote而言,init.rc里面有如下指令

on late-init
    ## Now we can start zygote for devices with file based encryption
    trigger zygote-start
on zygote-start && property:ro.crypto.state=unsupported
    start zygote
    start zygote_secondary

也就是说late-init事件发生时,会再触发一个zygote-start事件,继续触发start zygote指令

先看下相关的数据结构,精简代码
代码路径:system/core/init/action.cpp
class Action

class Action {
private:
    std::string event_trigger_;  
    std::vector commands_;
    static const KeywordMap* function_map_;
};


class Command {
private:
    BuiltinFunction func_;
    std::vector args_;
    std::string filename_;
    int line_;
};

class action中
event_trigger_:该action监听的触发器
Command:触发器触发后要做的指令
function_map_:维护一个指令与具体调用方法的映射关系

class Command中
func_:具体的方法指针,通过解析on关键字,将指令取出(比如start指令),然后通过function_map_拿到具体的方法指针
args_:数据

如下是具体指令与具体调用方法的映射关系的精简代码,我们只需关注start指令就行
代码路径:system/core/init/builtins.cpp

BuiltinFunctionMap::Map& BuiltinFunctionMap::map() const {
    constexpr std::size_t kMax = std::numeric_limits::max();
    // clang-format off
    static const Map builtin_functions = {
        {"bootchart",               {1,     1,    do_bootchart}},
        {"chmod",                   {2,     2,    do_chmod}},
        {"chown",                   {2,     3,    do_chown}},
        {"class_reset",             {1,     1,    do_class_reset}},
        {"class_restart",           {1,     1,    do_class_restart}},
        {"class_start",             {1,     1,    do_class_start}},
        {"class_stop",              {1,     1,    do_class_stop}},
        {"start",                   {1,     1,    do_start}},
    };
    // clang-format on
    return builtin_functions;
}

2. init进程触发事件过程

代码路径:system/core/init/action.cpp
精简代码

void ActionManager::ExecuteOneCommand() {
    // Loop through the trigger queue until we have an action to execute
   //遍历trigger队列与action中的监听trigger对比
    while (current_executing_actions_.empty() && !trigger_queue_.empty()) {
        for (const auto& action : actions_) {
            if (trigger_queue_.front()->CheckTriggers(*action)) {
                current_executing_actions_.emplace(action.get());
            }
        }
        trigger_queue_.pop();
    }
     //命中的话,执行相关指令
    action->ExecuteOneCommand(current_command_);
}

void Action::ExecuteOneCommand(std::size_t command) const {
    // We need a copy here since some Command execution may result in
    // changing commands_ vector by importing .rc files through parser
    Command cmd = commands_[command];
    ExecuteCommand(cmd);
}

void Action::ExecuteCommand(const Command& command) const {
    Timer t;
    int result = command.InvokeFunc();
}

 //执行指令对应的函数
int Command::InvokeFunc() const {
    expanded_args[0] = args_[0];
    return func_(expanded_args);
}

3.开始启动zygote 服务

3.1 do_start()

上面func_(expanded_args)其实就是执行do_start
代码路径:system/core/init/builtins.cpp

static int do_start(const std::vector& args) {
    //args是init.rc对应的start zygote指令
    //args[1]就是zygote了,根据上面2.1章节解析service时会把结果放在vector容器中,而且service里面有name的成员变量
    //由此还可以根据name拿到对应的service
    Service* svc = ServiceManager::GetInstance().FindServiceByName(args[1]);
    if (!svc) {
        LOG(ERROR) << "do_start: Service " << args[1] << " not found";
        return -1;
    }
//调用service的start方法
    if (!svc->Start())
        return -1;
    return 0;
}

3.2 Start()

代码路径:system/core/init/service.cpp

bool Service::Start() {
    pid_t pid = -1;
    if (namespace_flags_) {
        pid = clone(nullptr, nullptr, namespace_flags_ | SIGCHLD, nullptr);
    } else {
        //熟悉的fork代码
        pid = fork();
    }

    if (pid == 0) {
        std::vector strs;
        ExpandArgs(args_, &strs);
       //strs[0]就是/system/bin/app_process64
        //将fork出来的子进程也就是zygote进程变身到一个新的进程,pid和进程名保持不变,其他的数据被新的进程覆盖
        if (execve(strs[0], (char**) &strs[0], (char**) ENV) < 0) {
            PLOG(ERROR) << "cannot execve('" << strs[0] << "')";
        }

        _exit(127);
    }

    if (pid < 0) {
        PLOG(ERROR) << "failed to fork for '" << name_ << "'";
        pid_ = 0;
        return false;
    }
    return true;
}

说明:
1./system/bin/app_process6是有app_main.cpp编译的可执行文件
2.execve() 调用 成功 后 不会 返回, 其 进程 的 正文(text), 数据(data), bss 和 堆栈(stack) 段
被 调入程序 覆盖. 调入程序 继承了 调用程序 的 PID 和 所有 打开的 文件描述符, 他们 不会
因为 exec 过程 而 关闭. 父进程 的 未决 信号 被 清除. 所有 被 调用进程 设置过 的 信号
重置为 缺省行为
也就是说execve如果调用成功,其后面的代码不会被执行

3.3 app_main的main()

代码路径:frameworks/base/cmds/app_process/app_main.cpp

int main(int argc, char* const argv[])
{
   //AppRuntime是继承AndroidRuntime的,这里创建一个runtime,下文会提及到 //todo_1
   AppRuntime runtime(argv[0], computeArgBlockSize(argc, argv));
    // Parse runtime arguments.  Stop at first unrecognized option.
    bool zygote = false;
    bool startSystemServer = false;
    bool application = false;
    String8 niceName;
    String8 className;

    ++i;  // Skip unused "parent dir" argument.
    while (i < argc) {
        const char* arg = argv[i++];
        if (strcmp(arg, "--zygote") == 0) {
            zygote = true;
            //zygote的进程名zygote64
            niceName = ZYGOTE_NICE_NAME;
        } else if (strcmp(arg, "--start-system-server") == 0) {
            //启动system_server进程,也就是说zygote启动后就去fork出system_server进程
            startSystemServer = true;
        } else if (strcmp(arg, "--application") == 0) {
            application = true;
        } else if (strncmp(arg, "--nice-name=", 12) == 0) {
            niceName.setTo(arg + 12);
        } else if (strncmp(arg, "--", 2) != 0) {
            className.setTo(arg);
            break;
        } else {
            --i;
            break;
        }
    }

    if (!niceName.isEmpty()) {
        //设置zygote的进程名
        runtime.setArgv0(niceName.string(), true /* setProcName */);
    }

    if (zygote) {
        runtime.start("com.android.internal.os.ZygoteInit", args, zygote);
    } else if (className) {
        runtime.start("com.android.internal.os.RuntimeInit", args, zygote);
    } else {
        fprintf(stderr, "Error: no class name or --zygote supplied.\n");
        app_usage();
        LOG_ALWAYS_FATAL("app_process: no class name or --zygote supplied.");
    }
}

3.4 AndroidRuntime.start()

代码路径:frameworks/base/core/jni/AndroidRuntime.cpp

void AndroidRuntime::start(const char* className, const Vector& options, bool zygote)
{

    /* start the virtual machine */
    JniInvocation jni_invocation;
    jni_invocation.Init(NULL);
    JNIEnv* env;
    //启动虚拟机
    if (startVm(&mJavaVM, &env, zygote, primary_zygote) != 0) {
        return;
    }
    onVmCreated(env);

    /*
     * Register android functions.注册native方法
     */
    if (startReg(env) < 0) {
        ALOGE("Unable to register all android natives\n");
        return;
    }

    /*
     * We want to call main() with a String array with arguments in it.
     * At present we have two arguments, the class name and an option string.
     * Create an array to hold them.
     */
    jclass stringClass;
    jobjectArray strArray;
    jstring classNameStr;

    stringClass = env->FindClass("java/lang/String");
    assert(stringClass != NULL);
    strArray = env->NewObjectArray(options.size() + 1, stringClass, NULL);
    assert(strArray != NULL);
    classNameStr = env->NewStringUTF(className);
    assert(classNameStr != NULL);
    env->SetObjectArrayElement(strArray, 0, classNameStr);

    for (size_t i = 0; i < options.size(); ++i) {
        jstring optionsStr = env->NewStringUTF(options.itemAt(i).string());
        assert(optionsStr != NULL);
        env->SetObjectArrayElement(strArray, i + 1, optionsStr);
    }

    /*
     * Start VM.  This thread becomes the main thread of the VM, and will
     * not return until the VM exits.
     */
    char* slashClassName = toSlashClassName(className != NULL ? className : "");
    jclass startClass = env->FindClass(slashClassName);
    if (startClass == NULL) {
        ALOGE("JavaVM unable to locate class '%s'\n", slashClassName);
        /* keep going */
    } else {
        jmethodID startMeth = env->GetStaticMethodID(startClass, "main",
            "([Ljava/lang/String;)V");
        if (startMeth == NULL) {
            ALOGE("JavaVM unable to find main() in '%s'\n", className);
            /* keep going */
        } else {
            //调用ZygoteInit的入口函数main
            env->CallStaticVoidMethod(startClass, startMeth, strArray);

#if 0
            if (env->ExceptionCheck())
                threadExitUncaughtException(env);
#endif
        }
    }
    free(slashClassName);

    ALOGD("Shutting down VM\n");
    if (mJavaVM->DetachCurrentThread() != JNI_OK)
        ALOGW("Warning: unable to detach main thread\n");
    if (mJavaVM->DestroyJavaVM() != 0)
        ALOGW("Warning: VM did not shut down cleanly\n");
}

说明:AndroidRuntime.start()主要做了三件事
1.注册framework层的native方法以便jni调用,比如com_android_internal_os_ZygoteInit_nativeZygoteInit
2.启动虚拟机
3.调用ZygoteInit.java 的main函数,这个main一直会执行或者阻塞,不会退出,这样的话VM也不会退出

3.5 ZygoteInit.main()

代码路径ZygoteInit.java

   public static void main(String argv[]) {
       ZygoteServer zygoteServer = new ZygoteServer();

           // Start profiling the zygote initialization.
           SamplingProfilerIntegration.start();

           boolean startSystemServer = false;
           String socketName = "zygote";
           String abiList = null;
           boolean enableLazyPreload = false;
           for (int i = 1; i < argv.length; i++) {
               if ("start-system-server".equals(argv[i])) {
                  //标识启动system_server进程
                   startSystemServer = true;
               } else if ("--enable-lazy-preload".equals(argv[i])) {
                   enableLazyPreload = true;
               } else if (argv[i].startsWith(ABI_LIST_ARG)) {
                   abiList = argv[i].substring(ABI_LIST_ARG.length());
               } else if (argv[i].startsWith(SOCKET_NAME_ARG)) {
                   socketName = argv[i].substring(SOCKET_NAME_ARG.length());
               } else {
                   throw new RuntimeException("Unknown command line argument: " + argv[i]);
               }
           }
           if (abiList == null) {
               throw new RuntimeException("No ABI list supplied.");
           }
           //注册一个socket server
           zygoteServer.registerServerSocket(socketName);
           // In some configurations, we avoid preloading resources and classes eagerly.
           // In such cases, we will preload things prior to our first fork.
          preload(bootTimingsTraceLog);

           // Finish profiling the zygote initialization.
           SamplingProfilerIntegration.writeZygoteSnapshot();

           // Do an initial gc to clean up after startup
           bootTimingsTraceLog.traceBegin("PostZygoteInitGC");
           gcAndFinalize();
           bootTimingsTraceLog.traceEnd(); // PostZygoteInitGC

           if (startSystemServer) {
              //启动system_server进程 
               startSystemServer(abiList, socketName, zygoteServer);
           }

           Log.i(TAG, "Accepting command socket connections");
          //开始在while循环中监听来自AMS的fork子进程的请求,避免main退出
           zygoteServer.runSelectLoop(abiList);

           zygoteServer.closeServerSocket();
       } catch (Zygote.MethodAndArgsCaller caller) {
           caller.run();
       } catch (Throwable ex) {
           Log.e(TAG, "System zygote died with exception", ex);
           zygoteServer.closeServerSocket();
           throw ex;
       }
   }

说明:main主要做了三件事
1.preload 预加载
预加载framework中的类(/system/etc/
preloaded-classes)
预加载framework中的资源/system/framework/framework-res.apk
预加载动态库libandroid.so,libjnigraphics.so等等
预加载动态库libandroid.so,libjnigraphics.so等等
预加载默认字体
2.启动system_server进程
3.注册socket server并在循环中监听来自system_server的fork子进程的请求,

三 system_server进程的启动

1.1 startSystemServer

private static boolean startSystemServer(String abiList, String socketName, ZygoteServer zygoteServer)
            throws Zygote.MethodAndArgsCaller, RuntimeException {
        String args[] = {
            "--nice-name=system_server",
            "--runtime-args",
            "com.android.server.SystemServer",
        };
        ZygoteConnection.Arguments parsedArgs = null;

        int pid;

        try {
            parsedArgs = new ZygoteConnection.Arguments(args);
            ZygoteConnection.applyDebuggerSystemProperty(parsedArgs);
            ZygoteConnection.applyInvokeWithSystemProperty(parsedArgs);

            /* Request to fork the system server process */
            pid = Zygote.forkSystemServer(
                    parsedArgs.uid, parsedArgs.gid,
                    parsedArgs.gids,
                    parsedArgs.debugFlags,
                    null,
                    parsedArgs.permittedCapabilities,
                    parsedArgs.effectiveCapabilities);
        } catch (IllegalArgumentException ex) {
            throw new RuntimeException(ex);
        }

        /* For child process */
        if (pid == 0) {
            if (hasSecondZygote(abiList)) {
                waitForSecondaryZygote(socketName);
            }
            zygoteServer.closeServerSocket();
           //fork成功,处理system_server
            handleSystemServerProcess(parsedArgs);
        }
        return true;
    }

    /**
     * Finish remaining work for the newly forked system server process.
     */
    private static void handleSystemServerProcess(
            ZygoteConnection.Arguments parsedArgs)
            throws Zygote.MethodAndArgsCaller {

        if (parsedArgs.niceName != null) {
            //设置进程名
            Process.setArgV0(parsedArgs.niceName);
        }
            /*
             * Pass the remaining arguments to SystemServer.
             */
           //这里是被zygote进程fork出来的子进程做的一些初始化工作(主要是System_server进程和普通的app进程)
            ZygoteInit.zygoteInit(parsedArgs.targetSdkVersion, parsedArgs.remainingArgs, cl);
        /* should never reach here */
    }

1.2 ZygoteInit.zygoteInit

代码路径:ZygoteInit.java

 public static final void zygoteInit(int targetSdkVersion, String[] argv,
            ClassLoader classLoader) throws Zygote.MethodAndArgsCaller {
        if (RuntimeInit.DEBUG) {
            Slog.d(RuntimeInit.TAG, "RuntimeInit: Starting application from zygote");
        }

        Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "ZygoteInit");
        RuntimeInit.redirectLogStreams();

        RuntimeInit.commonInit();
        //通过jni调用native的方法,在5.4 AndroidRuntime.start()中提过的,注册了jni相关函数以便java端的调用,这里正好用到了
        ZygoteInit.nativeZygoteInit();
        RuntimeInit.applicationInit(targetSdkVersion, argv, classLoader);
    }

说明:zygoteInit主要做了三件事
1.RuntimeInit.commonInit() 设置UncaughtExceptionhandler和UA,具体代码比较简单这里不列举了
2.ZygoteInit.nativeZygoteInit() 调用native端的ZygoteInit(),这稍后再说
3.RuntimeInit.applicationInit 根据argv找到启动类,并执行入口main函数,具体代码比较简单这里不列举了(其实就是反射调用啦)

1.3 ZygoteInit.nativeZygoteInit()

代码路径frameworks/base/core/jni/AndroidRuntime.cpp

static void com_android_internal_os_ZygoteInit_nativeZygoteInit(JNIEnv* env, jobject clazz)
{
    gCurRuntime->onZygoteInit();
}

这个gCurRuntime实际就是5.3 app_main.cpp main中创建的appruntime ,可以查看todo_1标签与之呼应

1.4 onZygoteInit()

代码路径frameworks/base/cmds/app_process/app_main.cpp

    virtual void onZygoteInit()
    {
        sp proc = ProcessState::self();
        ALOGV("App process: starting thread pool.\n");
        proc->startThreadPool();
    }

说明:ProcessState是进程的状态,在构造函数时,会打开binder驱动做内存映射,startThreadPool会启动一个binder主线程,这样system_server具备binder的能力也就是跨进程通信的能力,app进程也是这样的,在创建成功后也会构造一个ProcessState,
另外我们可以看到zygote进程在启动的过程中并没有去创建ProcessState,所以zygote并没有binder的能力,所以zygote与system_server通信时用的是socket,至于zygote为什么不用binder
待下回分解。
至此所有的流程分析完毕。

你可能感兴趣的:(zygote64位和system_server进程的启动篇)