2023-03-08 10:40:32 +08:00
# 第三章 认识系统组件
2023-01-14 23:46:20 +08:00
2023-04-25 20:49:13 +08:00
`Android12` 以及对应的内核, , , , ( `native` 中的文件读写,`java` 类型的转换`c++` 类型等)并不需要我们重新实现,因为这些需求大多数在`Android` 系统源码中都有类似的实现,熟练掌握`Android` 系统源码,了解系统中常用的那些功能性函数,可以大大的提高定制系统的效率。在源码的学习过程中,最重要的是,**学习系统源码时,碰到问题,要学会跳过,很多时候是需要经历过一遍遍学习和实践后,才能完全理解其中的含义。**
2023-02-19 20:11:35 +08:00
2023-04-25 20:49:13 +08:00
## 3.1 源码结构介绍
2023-02-19 20:11:35 +08:00
2023-04-25 20:49:13 +08:00
`Android` 源码结构分为四个主要的模块:`frameworks、packages、hardware、system` 。`frameworks` 模块是`Android` 系统的核心,包含了`Android` 系统的核心类库、`Java` 框架和服务,它是`Android` 开发的基础。`packages` 模块包括了`Android` 系统的应用程序,主要是用户使用的应用程序,例如通讯录、日历和相机。`hardware` 模块提供了对硬件设备的支持,例如触摸屏、摄像头等。最后,`system` 模块包含了`Linux` 内核和`Android` 底层服务,它负责管理资源和处理系统事件。除了这些主要模块,`Android` 源码中还有一些其他的文件夹,例如`build、external、prebuilts` 和`tools` 等,他们提供了编译系统所需的资源和工具。接下来,看看根目录的基本结构。
1. `art` :该目录是`Android 5.0` 中新增加的,主要是实现`Android RunTime( ) 的目录,它作为`Android 4.4` 中的`Dalvik` 虚拟机的替代,主要处理`Java` 字节码。
2. `bionic` :这是`Android` 的`C` 库,包含了很多标准的`C` 库函数和头文件,还有一些`Android` 特有的函数和头文件。
3. `build` :该目录包含了编译`Android` 源代码所需要的脚本,包括`makefile` 文件和一些构建工具。
4. `compatibility` :该目录收集了`Android` 设备的兼容性测试套件`( ) 和兼容性实现`( ) 。
5. `cts` : `( ) ,主要用来测试设备是否符合`Android` 标准。
6. `dalvik` :该目录包含了`Dalvik` 虚拟机,它是`Android 2.3` 版本之前的主要虚拟机,它主要处理`Java` 字节码。
7. `developers` :该目录包含了`Android` 开发者文档和样例代码。
8. `development` :该目录包含了一些调试工具,如`systrace、monkey、ddms` 等。
9. `device` :该目录包含了特定的`Android` 设备的驱动程序。
10. `external` :该目录包含了一些第三方库,如`WebKit、OpenGL` 等。
11. `frameworks` :该目录提供了`Android` 应用程序调用底层服务的`API` 。
12. `hardware` :该目录包含了`Android` 设备硬件相关的驱动代码,如摄像头驱动、蓝牙驱动等。
13. `kernel` :该目录包含了`Android` 系统内核的源代码,它是`Android` 系统的核心部分。
14. `libcore` :该目录包含了`Android` 底层库,它提供了一些基本的`API` ,如文件系统操作、网络操作等。
15. `packages` :该目录包含了`Android` 框架、应用程序和其他模块的源代码。 包含了`Android` 系统中的所有应用程序,例如短信、电话、浏览器、相机等
16. `pdk` :该目录是一个`Android` 平台开发套件,它包含了一些工具和`API` ,
17. `platform_testing` :该目录包含了一些测试工具,用于测试`Android` 平台的稳定性和性能。
18. `prebuilts` :该目录包含了一些预先编译的文件,如编译工具、驱动程序等。
19. `sdk` :该目录是`Android SDK` 的源代码,它包含了`Android SDK` 的`API` 文档、代码示例、工具等。
20. `system` :该目录包含了`Android` 系统的核心部分,如系统服务、应用程序、内存管理机制、文件系统、网络协议等。
21. `test` :该目录包含了一些测试代码,用于测试`Android` 系统的各个组件。
22. `toolchain` :该目录包含了一些编译器和工具链,如`GCC、Clang` 等,用于编译`Android` 源代码。
23. `tools` :该目录包含了一些开发工具,如`Android SDK` 工具、`Android Studio、Eclipse` 等。
24. `vendor` :该目录包含了一些硬件厂商提供的驱动程序,如摄像头驱动、蓝牙驱动等。
2023-02-19 20:11:35 +08:00
2023-03-08 10:23:49 +08:00
2023-02-19 20:11:35 +08:00
2023-03-08 10:23:49 +08:00
, , , , , , , , ,
2023-02-21 23:14:28 +08:00
## 3.2 Android启动流程
2023-03-08 10:23:49 +08:00
: , ,
2023-02-21 23:14:28 +08:00
1. Bootloader阶段: , ( ) , ( ) , , ,
2. Kernel阶段: , , , ,
3. Init进程阶段: , , , ,
4. System Server启动阶段: , , , ,
2023-03-08 10:23:49 +08:00
, , , , , ,
2023-03-02 00:49:22 +08:00
2023-02-21 23:14:28 +08:00
## 3.3 内核启动
2023-03-08 10:23:49 +08:00
, , , ,
2023-02-21 23:14:28 +08:00
2023-03-08 10:23:49 +08:00
, , , , `adb reboot bootloader` 直接重启进入引导程序。
2023-02-21 23:14:28 +08:00
( ) ,
2023-03-08 10:23:49 +08:00
`~/android_src/android-kernel/private/msm-google/arch/arm64/kernel/head.S` 查看汇编代码如下。
2023-02-21 23:14:28 +08:00
2023-03-06 12:09:21 +08:00
```assembly
2023-02-21 23:14:28 +08:00
__HEAD
_head:
/*
* DO NOT MODIFY. Image header expected by Linux boot-loaders.
*/
#ifdef CONFIG_EFI
/*
* This add instruction has no meaningful effect except that
* its opcode forms the magic "MZ" signature required by UEFI.
*/
add x13, x18, #0x16
b stext
#else
b stext // branch to kernel start, magic
2023-03-06 12:09:21 +08:00
```
2023-02-21 23:14:28 +08:00
2023-03-08 10:23:49 +08:00
, , ,
2023-02-21 23:14:28 +08:00
2023-03-06 12:09:21 +08:00
```assembly
2023-02-21 23:14:28 +08:00
/*
* The following callee saved general purpose registers are used on the
* primary lowlevel boot path:
*
* Register Scope Purpose
* x21 stext() .. start_kernel() FDT pointer passed at boot in x0
* x23 stext() .. start_kernel() physical misalignment/KASLR offset
* x28 __create_page_tables() callee preserved temp register
* x19/x20 __primary_switch() callee preserved temp registers
*/
ENTRY(stext)
bl preserve_boot_args //把引导程序传的4个参数保存在全局数组boot_args
bl el2_setup // Drop to EL1, w0=cpu_boot_mode
adrp x23, __PHYS_OFFSET
and x23, x23, MIN_KIMG_ALIGN - 1 // KASLR offset, defaults to 0
bl set_cpu_boot_mode_flag
bl __create_page_tables // 创建页表映射 x25=TTBR0, x26=TTBR1
/*
* The following calls CPU setup code, see arch/arm64/mm/proc.S for
* details.
* On return, the CPU will be ready for the MMU to be turned on and
* the TCR will have been set.
*/
bl __cpu_setup // // 初始化处理器 initialise processor
b __primary_switch
ENDPROC(stext)
2023-03-06 12:09:21 +08:00
```
2023-02-21 23:14:28 +08:00
,
2023-03-06 12:09:21 +08:00
```assembly
2023-02-21 23:14:28 +08:00
__primary_switch:
#ifdef CONFIG_RANDOMIZE_BASE
mov x19, x0 // preserve new SCTLR_EL1 value
mrs x20, sctlr_el1 // preserve old SCTLR_EL1 value
#endif
bl __enable_mmu
#ifdef CONFIG_RELOCATABLE
bl __relocate_kernel
#ifdef CONFIG_RANDOMIZE_BASE
ldr x8, =__primary_switched //将x8设置成__primary_switched的地址
adrp x0, __PHYS_OFFSET
blr x8 //调用__primary_switched
/*
* If we return here, we have a KASLR displacement in x23 which we need
* to take into account by discarding the current kernel mapping and
* creating a new one.
*/
msr sctlr_el1, x20 // disable the MMU
isb
bl __create_page_tables // recreate kernel mapping
tlbi vmalle1 // Remove any stale TLB entries
dsb nsh
isb
msr sctlr_el1, x19 // re-enable the MMU
isb
ic iallu // flush instructions fetched
dsb nsh // via old mapping
isb
bl __relocate_kernel
#endif
#endif
ldr x8, =__primary_switched
adrp x0, __PHYS_OFFSET
br x8
ENDPROC(__primary_switch)
2023-03-06 12:09:21 +08:00
```
2023-02-21 23:14:28 +08:00
2023-03-08 10:23:49 +08:00
接着,继续跟踪`__primary_switched` 函数, ,
2023-02-21 23:14:28 +08:00
2023-03-06 12:09:21 +08:00
```assembly
2023-02-21 23:14:28 +08:00
__primary_switched:
adrp x4, init_thread_union
add sp, x4, #THREAD_SIZE
adr_l x5, init_task
msr sp_el0, x5 // Save thread_info
adr_l x8, vectors // load VBAR_EL1 with virtual
msr vbar_el1, x8 // vector table address
isb
stp xzr, x30, [sp, #-16]!
mov x29, sp
#ifdef CONFIG_SHADOW_CALL_STACK
adr_l x18, init_shadow_call_stack // Set shadow call stack
#endif
str_l x21, __fdt_pointer, x5 // Save FDT pointer
ldr_l x4, kimage_vaddr // Save the offset between
sub x4, x4, x0 // the kernel virtual and
str_l x4, kimage_voffset, x5 // physical mappings
// Clear BSS
adr_l x0, __bss_start
mov x1, xzr
adr_l x2, __bss_stop
sub x2, x2, x0
bl __pi_memset
dsb ishst // Make zero page visible to PTW
#ifdef CONFIG_KASAN
bl kasan_early_init
#endif
#ifdef CONFIG_RANDOMIZE_BASE
tst x23, ~(MIN_KIMG_ALIGN - 1) // already running randomized?
b.ne 0f
mov x0, x21 // pass FDT address in x0
mov x1, x23 // pass modulo offset in x1
bl kaslr_early_init // parse FDT for KASLR options
cbz x0, 0f // KASLR disabled? just proceed
orr x23, x23, x0 // record KASLR offset
ldp x29, x30, [sp], #16 // we must enable KASLR, return
ret // to __primary_switch()
0:
#endif
b start_kernel // 内核的入口函数
ENDPROC(__primary_switched)
2023-03-06 12:09:21 +08:00
```
2023-02-21 23:14:28 +08:00
2023-03-08 10:23:49 +08:00
, , , `~/android_src/android-kernel/private/msm-google/init/main.c` ,
2023-02-21 23:14:28 +08:00
2023-03-06 12:09:21 +08:00
```c
2023-02-21 23:14:28 +08:00
asmlinkage __visible void __init start_kernel(void)
{
2023-03-02 00:49:22 +08:00
// 加载各种子系统
...
2023-02-21 23:14:28 +08:00
/* Do the rest non-__init'ed, we're now alive */
rest_init();
prevent_tail_call_optimization();
}
2023-03-06 12:09:21 +08:00
```
2023-02-21 23:14:28 +08:00
2023-03-08 10:23:49 +08:00
,
2023-02-21 23:14:28 +08:00
2023-03-06 12:09:21 +08:00
```c
2023-02-21 23:14:28 +08:00
static noinline void __ref rest_init(void)
{
...
kernel_thread(kernel_init, NULL, CLONE_FS);
numa_default_policy();
pid = kernel_thread(kthreadd, NULL, CLONE_FS | CLONE_FILES);
...
}
2023-03-06 12:09:21 +08:00
```
2023-02-21 23:14:28 +08:00
接着看看kernel_init线程执行的内容。
2023-03-06 12:09:21 +08:00
```c
2023-02-21 23:14:28 +08:00
static int __ref kernel_init(void *unused)
{
int ret;
kernel_init_freeable();
/* need to finish all async __init code before freeing the memory */
async_synchronize_full();
free_initmem();
mark_readonly();
system_state = SYSTEM_RUNNING;
numa_default_policy();
rcu_end_inkernel_boot();
if (ramdisk_execute_command) {
ret = run_init_process(ramdisk_execute_command);
if (!ret)
return 0;
pr_err("Failed to execute %s (error %d)\n",
ramdisk_execute_command, ret);
}
/*
* We try each of these until one succeeds.
*
* The Bourne shell can be used instead of init if we are
* trying to recover a really broken machine.
*/
if (execute_command) {
ret = run_init_process(execute_command);
if (!ret)
return 0;
panic("Requested init %s failed (error %d).",
execute_command, ret);
}
if (!try_to_run_init_process("/sbin/init") ||
!try_to_run_init_process("/etc/init") ||
!try_to_run_init_process("/bin/init") ||
!try_to_run_init_process("/bin/sh"))
return 0;
panic("No working init found. Try passing init= option to kernel. "
"See Linux Documentation/init.txt for guidance.");
}
2023-03-06 12:09:21 +08:00
```
2023-02-21 23:14:28 +08:00
2023-03-08 10:23:49 +08:00
, ,
2023-02-21 23:14:28 +08:00
2023-03-06 12:09:21 +08:00
```c
2023-02-21 23:14:28 +08:00
static int try_to_run_init_process(const char *init_filename)
{
int ret;
ret = run_init_process(init_filename);
if (ret & & ret != -ENOENT) {
pr_err("Starting init: %s exists but couldn't execute it (error %d)\n",
init_filename, ret);
}
return ret;
}
2023-03-06 12:09:21 +08:00
```
2023-02-21 23:14:28 +08:00
这里简单包装调用的run_init_process,
2023-03-06 12:09:21 +08:00
```c
2023-02-21 23:14:28 +08:00
static int run_init_process(const char *init_filename)
{
argv_init[0] = init_filename;
return do_execve(getname_kernel(init_filename),
(const char __user *const __user * )argv_init,
(const char __user *const __user * )envp_init);
}
2023-03-06 12:09:21 +08:00
```
2023-02-21 23:14:28 +08:00
2023-03-08 10:23:49 +08:00
,
2023-02-21 23:14:28 +08:00
## 3.4 Init进程启动
2023-02-22 23:33:36 +08:00
2023-03-02 00:49:22 +08:00
, , , , , , , :
: , ;
: , ;
: , ;
2023-03-06 12:09:21 +08:00
: , ;
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
: , ;
2023-03-02 00:49:22 +08:00
: ,
2023-03-08 10:23:49 +08:00
`system/core/init/main.cpp` 。下面,
2023-02-22 23:33:36 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-02-22 23:33:36 +08:00
int main(int argc, char** argv) {
#if __has_feature(address_sanitizer)
__asan_set_error_report_callback(AsanReportCallback);
#endif
// Boost prio which will be restored later
setpriority(PRIO_PROCESS, 0, -20);
if (!strcmp(basename(argv[0]), "ueventd")) {
return ueventd_main(argc, argv);
}
2023-03-06 12:09:21 +08:00
2023-02-22 23:33:36 +08:00
if (argc > 1) {
if (!strcmp(argv[1], "subcontext")) {
android::base::InitLogging(argv, &android::base::KernelLogger);
const BuiltinFunctionMap& function_map = GetBuiltinFunctionMap();
return SubcontextMain(argc, argv, &function_map);
}
// 第二步 装载selinux策略
if (!strcmp(argv[1], "selinux_setup")) {
return SetupSelinux(argv);
}
// 第三步
if (!strcmp(argv[1], "second_stage")) {
return SecondStageMain(argc, argv);
}
}
// 第一步 挂载设备节点
return FirstStageMain(argc, argv);
}
2023-03-06 12:09:21 +08:00
```
2023-02-22 23:33:36 +08:00
2023-03-08 10:23:49 +08:00
, , , , ,
2023-02-22 23:33:36 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-02-22 23:33:36 +08:00
int FirstStageMain(int argc, char** argv) {
...
CHECKCALL(clearenv());
CHECKCALL(setenv("PATH", _PATH_DEFPATH, 1));
// Get the basic filesystem setup we need put together in the initramdisk
// on / and then we'll let the rc file figure out the rest.
CHECKCALL(mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755"));
CHECKCALL(mkdir("/dev/pts", 0755));
CHECKCALL(mkdir("/dev/socket", 0755));
CHECKCALL(mkdir("/dev/dm-user", 0755));
CHECKCALL(mount("devpts", "/dev/pts", "devpts", 0, NULL));
#define MAKE_STR(x) __STRING(x)
CHECKCALL(mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC)));
#undef MAKE_STR
// Don't expose the raw commandline to unprivileged processes.
CHECKCALL(chmod("/proc/cmdline", 0440));
std::string cmdline;
android::base::ReadFileToString("/proc/cmdline", &cmdline);
// Don't expose the raw bootconfig to unprivileged processes.
chmod("/proc/bootconfig", 0440);
std::string bootconfig;
android::base::ReadFileToString("/proc/bootconfig", &bootconfig);
gid_t groups[] = {AID_READPROC};
CHECKCALL(setgroups(arraysize(groups), groups));
CHECKCALL(mount("sysfs", "/sys", "sysfs", 0, NULL));
CHECKCALL(mount("selinuxfs", "/sys/fs/selinux", "selinuxfs", 0, NULL));
CHECKCALL(mknod("/dev/kmsg", S_IFCHR | 0600, makedev(1, 11)));
...
// 这里可以看到重新访问了init进程,
const char* path = "/system/bin/init";
const char* args[] = {path, "selinux_setup", nullptr};
auto fd = open("/dev/kmsg", O_WRONLY | O_CLOEXEC);
dup2(fd, STDOUT_FILENO);
dup2(fd, STDERR_FILENO);
close(fd);
// 使用execv再次调用起init进程
execv(path, const_cast< char * * > (args));
2023-03-06 12:09:21 +08:00
2023-02-22 23:33:36 +08:00
// execv() only returns if an error happened, in which case we
// panic and never fall through this conditional.
PLOG(FATAL) << "execv(\"" < < path << " \") failed ";
return 1;
}
2023-03-06 12:09:21 +08:00
```
2023-02-22 23:33:36 +08:00
2023-03-08 10:23:49 +08:00
, , , ,
2023-02-22 23:33:36 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-02-22 23:33:36 +08:00
int SetupSelinux(char** argv) {
SetStdioToDevNull(argv);
InitKernelLogging(argv);
...
LOG(INFO) < < "Opening SELinux policy";
// Read the policy before potentially killing snapuserd.
std::string policy;
ReadPolicy(&policy);
auto snapuserd_helper = SnapuserdSelinuxHelper::CreateIfNeeded();
if (snapuserd_helper) {
// Kill the old snapused to avoid audit messages. After this we cannot
// read from /system (or other dynamic partitions) until we call
// FinishTransition().
snapuserd_helper->StartTransition();
}
LoadSelinuxPolicy(policy);
if (snapuserd_helper) {
// Before enforcing, finish the pending snapuserd transition.
snapuserd_helper->FinishTransition();
snapuserd_helper = nullptr;
}
SelinuxSetEnforcement();
// We're in the kernel domain and want to transition to the init domain. File systems that
// store SELabels in their xattrs, such as ext4 do not need an explicit restorecon here,
// but other file systems do. In particular, this is needed for ramdisks such as the
// recovery image for A/B devices.
if (selinux_android_restorecon("/system/bin/init", 0) == -1) {
PLOG(FATAL) < < "restorecon failed of /system/bin/init failed";
}
setenv(kEnvSelinuxStartedAt, std::to_string(start_time.time_since_epoch().count()).c_str(), 1);
// 继续再拉起一个init进程,参数设置second_stage
const char* path = "/system/bin/init";
const char* args[] = {path, "second_stage", nullptr};
execv(path, const_cast< char * * > (args));
// execv() only returns if an error happened, in which case we
// panic and never return from this function.
PLOG(FATAL) << "execv(\"" < < path << " \") failed ";
return 1;
}
2023-03-06 12:09:21 +08:00
```
2023-02-22 23:33:36 +08:00
2023-03-08 10:23:49 +08:00
, , , ,
2023-02-22 23:33:36 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-02-22 23:33:36 +08:00
int SecondStageMain(int argc, char** argv) {
...
// 初始化属性系统
PropertyInit();
// 开启属性服务
StartPropertyService(&property_fd);
2023-03-06 12:09:21 +08:00
2023-02-22 23:33:36 +08:00
// 解析init.rc 以及启动其他相关进程
LoadBootScripts(am, sm);
...
return 0;
}
2023-03-06 12:09:21 +08:00
```
2023-02-22 23:33:36 +08:00
2023-03-08 10:23:49 +08:00
,
2023-02-22 23:33:36 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-02-22 23:33:36 +08:00
static void LoadBootScripts(ActionManager& action_manager, ServiceList& service_list) {
Parser parser = CreateParser(action_manager, service_list);
std::string bootscript = GetProperty("ro.boot.init_rc", "");
if (bootscript.empty()) {
// 解析各目录中的init.rc
parser.ParseConfig("/system/etc/init/hw/init.rc");
if (!parser.ParseConfig("/system/etc/init")) {
late_import_paths.emplace_back("/system/etc/init");
}
// late_import is available only in Q and earlier release. As we don't
// have system_ext in those versions, skip late_import for system_ext.
parser.ParseConfig("/system_ext/etc/init");
if (!parser.ParseConfig("/vendor/etc/init")) {
late_import_paths.emplace_back("/vendor/etc/init");
}
if (!parser.ParseConfig("/odm/etc/init")) {
late_import_paths.emplace_back("/odm/etc/init");
}
if (!parser.ParseConfig("/product/etc/init")) {
late_import_paths.emplace_back("/product/etc/init");
}
} else {
parser.ParseConfig(bootscript);
}
}
2023-03-06 12:09:21 +08:00
```
2023-02-22 23:33:36 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-02-22 23:33:36 +08:00
bool Parser::ParseConfig(const std::string& path) {
if (is_dir(path.c_str())) {
return ParseConfigDir(path);
}
return ParseConfigFile(path);
}
2023-03-06 12:09:21 +08:00
```
2023-02-22 23:33:36 +08:00
2023-03-08 10:23:49 +08:00
, ,
2023-02-22 23:33:36 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-02-22 23:33:36 +08:00
bool Parser::ParseConfigFile(const std::string& path) {
...
ParseData(path, &config_contents.value());
...
}
2023-03-06 12:09:21 +08:00
```
2023-02-22 23:33:36 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-02-22 23:33:36 +08:00
void Parser::ParseData(const std::string& filename, std::string* data) {
...
2023-03-06 12:09:21 +08:00
2023-02-22 23:33:36 +08:00
for (;;) {
switch (next_token(& state)) {
case T_EOF:
...
return;
case T_NEWLINE: {
...
else if (section_parsers_.count(args[0])) {
end_section();
// 从section_parsers_中获取出来的
section_parser = section_parsers_[args[0]].get();
section_start_line = state.line;
// 使用了ParseSection进行解析
if (auto result =
section_parser->ParseSection(std::move(args), filename, state.line);
!result.ok()) {
parse_error_count_++;
LOG(ERROR) < < filename < < " : " < < state . line < < " : " < < result . error ( ) ;
section_parser = nullptr;
bad_section_found = true;
}
} else if (section_parser) {
// 使用了ParseLineSection进行解析
if (auto result = section_parser->ParseLineSection(std::move(args), state.line);
!result.ok()) {
parse_error_count_++;
LOG(ERROR) < < filename < < " : " < < state . line < < " : " < < result . error ( ) ;
}
2023-03-06 12:09:21 +08:00
}
2023-02-22 23:33:36 +08:00
...
}
case T_TEXT:
args.emplace_back(state.text);
break;
}
}
}
2023-03-06 12:09:21 +08:00
```
2023-02-22 23:33:36 +08:00
2023-03-08 10:23:49 +08:00
, ,
2023-02-22 23:33:36 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-02-22 23:33:36 +08:00
void Parser::AddSectionParser(const std::string& name, std::unique_ptr< SectionParser > parser) {
section_parsers_[name] = std::move(parser);
}
Parser CreateParser(ActionManager& action_manager, ServiceList& service_list) {
Parser parser;
parser.AddSectionParser("service", std::make_unique< ServiceParser > (
& service_list, GetSubcontext(), std::nullopt));
parser.AddSectionParser("on", std::make_unique< ActionParser > (& action_manager, GetSubcontext()));
parser.AddSectionParser("import", std::make_unique< ImportParser > (&parser));
return parser;
}
2023-03-06 12:09:21 +08:00
```
2023-02-22 23:33:36 +08:00
, ,
2023-03-02 00:49:22 +08:00
2023-02-22 23:33:36 +08:00
,
2023-03-08 10:23:49 +08:00
, ,
2023-02-22 23:33:36 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-02-22 23:33:36 +08:00
// service节点的解析处理
Result< void > ServiceParser::ParseSection(std::vector< std::string > & & args,
const std::string& filename, int line) {
if (args.size() < 3 ) {
return Error() < < "services must have a name and a program";
}
const std::string& name = args[1];
if (!IsValidName(name)) {
return Error() < < "invalid service name '" < < name < < " ' " ;
}
filename_ = filename;
Subcontext* restart_action_subcontext = nullptr;
if (subcontext_ & & subcontext_->PathMatchesSubcontext(filename)) {
restart_action_subcontext = subcontext_;
}
std::vector< std::string > str_args(args.begin() + 2, args.end());
if (SelinuxGetVendorAndroidVersion() < = __ANDROID_API_P__ ) {
if (str_args[0] == "/sbin/watchdogd") {
str_args[0] = "/system/bin/watchdogd";
}
}
if (SelinuxGetVendorAndroidVersion() < = __ANDROID_API_Q__ ) {
if (str_args[0] == "/charger") {
str_args[0] = "/system/bin/charger";
}
}
service_ = std::make_unique< Service > (name, restart_action_subcontext, str_args, from_apex_);
return {};
}
// on 节点的解析处理
Result< void > ActionParser::ParseSection(std::vector< std::string > & & args,
const std::string& filename, int line) {
std::vector< std::string > triggers(args.begin() + 1, args.end());
if (triggers.size() < 1 ) {
return Error() < < "Actions must have a trigger";
}
Subcontext* action_subcontext = nullptr;
if (subcontext_ & & subcontext_->PathMatchesSubcontext(filename)) {
action_subcontext = subcontext_;
}
std::string event_trigger;
std::map< std::string , std::string > property_triggers;
if (auto result =
ParseTriggers(triggers, action_subcontext, & event_trigger, &property_triggers);
!result.ok()) {
return Error() < < "ParseTriggers() failed: " < < result.error ( ) ;
}
auto action = std::make_unique< Action > (false, action_subcontext, filename, line, event_trigger,
property_triggers);
action_ = std::move(action);
return {};
}
// import节点的解析处理
Result< void > ImportParser::ParseSection(std::vector< std::string > & & args,
const std::string& filename, int line) {
if (args.size() != 2) {
return Error() << "single argument needed for import\n";
}
auto conf_file = ExpandProps(args[1]);
if (!conf_file.ok()) {
return Error() < < "Could not expand import: " < < conf_file.error ( ) ;
}
LOG(INFO) < < "Added '" < < *conf_file < < "' to import list";
if (filename_.empty()) filename_ = filename;
imports_.emplace_back(std::move(*conf_file), line);
return {};
}
2023-03-06 12:09:21 +08:00
```
2023-02-22 23:33:36 +08:00
2023-03-02 00:49:22 +08:00
, ,
## 3.5 init.rc
, `Android Init Language` 的脚本语言写成的文件, ,
2023-03-08 10:23:49 +08:00
, , , , , , , , ,
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, , , , , `system/core/rootdir/init.rc` 。
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
// 导入另一个rc文件
import /init.environ.rc
import /system/etc/init/hw/init.usb.rc
import /init.${ro.hardware}.rc
import /vendor/etc/init/hw/init.${ro.hardware}.rc
import /system/etc/init/hw/init.usb.configfs.rc
import /system/etc/init/hw/init.${ro.zygote}.rc
...
// 当初始化触发时,执行section下的命令
on init
sysclktz 0
# Mix device-specific information into the entropy pool
copy /proc/cmdline /dev/urandom
copy /system/etc/prop.default /dev/urandom
symlink /proc/self/fd/0 /dev/stdin
symlink /proc/self/fd/1 /dev/stdout
symlink /proc/self/fd/2 /dev/stderr
# Create energy-aware scheduler tuning nodes
mkdir /dev/stune/foreground
...
// 当属性ro.debuggable变更为1时触发section内的命令
on property:ro.debuggable=1
# Give writes to anyone for the trace folder on debug builds.
# The folder is used to store method traces.
chmod 0773 /data/misc/trace
# Give reads to anyone for the window trace folder on debug builds.
chmod 0775 /data/misc/wmtrace
# Give reads to anyone for the accessibility trace folder on debug builds.
chmod 0775 /data/misc/a11ytrace
...
// 定义系统服务 服务名称ueventd 服务路径/system/bin/ueventd
// 服务类型core, ,
service ueventd /system/bin/ueventd
class core
critical
seclabel u:r:ueventd:s0
shutdown critical
// 定义系统服务 服务名称console 服务路径/system/bin/sh
// 服务类型core 服务状态disabled 服务所属用户shell 服务所属组shell log readproc
// 安全标签u:r:shell:s0 设置环境变量HOSTNAME console
service console /system/bin/sh
class core
console
disabled
user shell
group shell log readproc
seclabel u:r:shell:s0
setenv HOSTNAME console
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, , , , , , , `http://www.gaohaiyan.com/4047.html`
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
on boot #系统启动触发
on early-init #在初始化之前触发
on init #在初始化时触发 (在启动配置文件/init.conf被装载之后)
on late-init #在初始化晚期阶段触发
on charger #当充电时触发
on property:< key > =< value > #当属性值满足条件时触发
on post-fs #挂载文件系统
on post-fs-data #挂载data
on device-added-< path > #在指定设备被添加时触发
on device-removed-< path > #在指定设备被移除时触发
on service-exited-< name > #在指定service退出时触发
on < name > =< value > #当属性 < name > 等于< value > 时触发
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
chdir < dirc > 更改工作目录为< dirc >
chmod < octal-mode > < path > 更改文件访问权限
chown < owner > < group > < path > 更改文件所有者和组群
chroot < direc > 更改根目录位置
class_start < serviceclass > 如果它们不在运行状态的话,启动由< serviceclass > 类名指定的所有相关服务
class_stop < serviceclass > 如果它们在运行状态的话,停止
domainname < name > 设置域名
exec < path > [ < argument > ]* fork并执行一个程序, < path > , ,
export < name > < value > 设置某个环境变量< name > 的值为< value > ,这是对全局有效的,即其后所有进程都将继承这个变量
hostname < name > 设置主机名
ifup < interface > 使网络接口< interface > 成功连接
import < filename > 引入一个名为< filename > 的文件
insmod < path > 在< path > 路径上安装一个模块
mkdir < path > [mode] [owner] [group] 在< path > 路径上新建一个目录
2023-03-06 12:09:21 +08:00
mount < type > < device > < dir > [< mountoption > ]* 尝试在指定路径上挂载一个设备
2023-03-02 00:49:22 +08:00
setprop < name > < value > 设置系统属性< name > 的值为< value >
setrlinit < resource > < cur > < max > 设置一种资源的使用限制。这个概念亦存在于Linux系统中, < cur > 表示软限制,< max > 表示硬限制
start < service > 启动一个服务
stop < service > 停止一个服务
symlink < target > < path > 创建一个< path > 路径的软链接,目标为< target >
sysclk < mins_west_of_gmt > 设置基准时间, ,
trigger < event > 触发一个事件
write < path > < string > [< string > ]* 打开一个文件,并写入字符串
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, , ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
class < name > 为该服务指定一个class名,
默认情况下服务的class名是“default”。另外还有core(其它服务依赖的基础性核心服务)、main(java须要的基本服务)、late_start(厂商定制的服务)
critical 表示这是一个对设备至关重要的一个服务,如果它在四分钟内退出超过四次,则设备将重启进入恢复模式
disabled 此服务不会自动启动,而是需要通过显式调用服务名来启动
group < groupname > [< groupname > ]* 在启动服务前将用户组切换为< groupname >
oneshot 只启动一次,当此服务退出时,不要主动去重启它
onrestart 当此服务重启时,执行某些命令
setenv < name > < value > 设置环境变量< name > 为某个值< value >
socket < name > < type > < perm > [ < user > [< group > ]] 创建一个名为/dev/socket/< name > 的unix domain socket, , < type > 值包括dgram, ,
user < username > 在启动服务前将用户组切换为< username > ,
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, , ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
service kservice /system/bin/app_process -Djava.class.path=/system/framework/ksvr.jar /system/bin cn.mik.ksvr.kSystemSvr svr
class main
user root
group root
oneshot
seclabel u:r:su:s0
on property:sys.boot_completed=1
bootchart stop
start kservice
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
, , `/system/bin/app_process` 作为进程启动, , `cn.mik.ksvr.kSystemSvr` , ,
## 3.6 Zygote启动
2023-03-08 10:23:49 +08:00
, , , ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
# 导入含有zygote服务定义的rc文件,
import /system/etc/init/hw/init.${ro.zygote}.rc
# init完成后触发zygote-start事件
on late-init
...
# Now we can start zygote for devices with file based encryption
trigger zygote-start
...
# 最后启动了zygote和zygote_secondary
on zygote-start & & property:ro.crypto.state=unencrypted
wait_for_prop odsign.verification.done 1
# A/B update verifier that marks a successful boot.
exec_start update_verifier_nonencrypted
start statsd
start netd
start zygote
start zygote_secondary
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
`system/core/rootdir/` 中。分别是init.zygote32.rc、init.zygote64.rc、init.zygote32_64.rc、init.zygote64_32.rc, ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
// --zygote 传递给app_process程序的参数,表示这是启动一个孵化器。
// --start-system-server 传递给app_process程序的参数,
service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-system-server
class main
priority -20
user root
group root readproc reserved_disk
socket zygote stream 660 root system
socket usap_pool_primary stream 660 root system
onrestart exec_background - system system -- /system/bin/vdc volume abort_fuse
onrestart write /sys/power/state on
onrestart restart audioserver
onrestart restart cameraserver
onrestart restart media
onrestart restart netd
onrestart restart wificond
writepid /dev/cpuset/foreground/tasks
critical window=${zygote.critical_window.minute:-off} target=zygote-fatal
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, , , , , , ,
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, , `frameworks/base/cmds/app_process/app_main.cpp` 中。
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```c++
2023-03-02 00:49:22 +08:00
#if defined(__LP64__)
static const char ABI_LIST_PROPERTY[] = "ro.product.cpu.abilist64";
static const char ZYGOTE_NICE_NAME[] = "zygote64";
#else
static const char ABI_LIST_PROPERTY[] = "ro.product.cpu.abilist32";
static const char ZYGOTE_NICE_NAME[] = "zygote";
#endif
int main(int argc, char* const argv[])
{
...
// Parse runtime arguments. Stop at first unrecognized option.
bool zygote = false;
bool startSystemServer = false;
bool application = false;
String8 niceName;
String8 className;
++i; // Skip unused "parent dir" argument.
// 参数的处理
while (i < argc ) {
const char* arg = argv[i++];
if (strcmp(arg, "--zygote") == 0) {
zygote = true;
niceName = ZYGOTE_NICE_NAME;
} else if (strcmp(arg, "--start-system-server") == 0) {
startSystemServer = true;
} else if (strcmp(arg, "--application") == 0) {
application = true;
} else if (strncmp(arg, "--nice-name=", 12) == 0) {
niceName.setTo(arg + 12);
} else if (strncmp(arg, "--", 2) != 0) {
className.setTo(arg);
break;
} else {
--i;
break;
}
}
...
if (!niceName.isEmpty()) {
runtime.setArgv0(niceName.string(), true /* setProcName */);
}
// 如果启动时设置--zygote, ,
if (zygote) {
const char* zygoteName="com.android.internal.os.ZygoteInit";
runtime.start(zygoteName, args, zygote);
} else if (className) {
const char* zygoteName="com.android.internal.os.RuntimeInit";
runtime.start(zygoteName, args, zygote);
} else {
fprintf(stderr, "Error: no class name or --zygote supplied.\n");
app_usage();
LOG_ALWAYS_FATAL("app_process: no class name or --zygote supplied.");
}
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
, , ,
, ,
, `frameworks/base/core/jni/AndroidRuntime.cpp`
2023-03-06 12:09:21 +08:00
```cpp
2023-03-02 00:49:22 +08:00
void AndroidRuntime::start(const char* className, const Vector< String8 > & options, bool zygote)
{
...
//const char* kernelHack = getenv("LD_ASSUME_KERNEL");
//ALOGD("Found LD_ASSUME_KERNEL='%s'\n", kernelHack);
/* 启动vm虚拟机 */
JniInvocation jni_invocation;
jni_invocation.Init(NULL);
JNIEnv* env;
if (startVm(& mJavaVM, & env, zygote, primary_zygote) != 0) {
return;
}
onVmCreated(env);
/*
* 注册框架使用的JNI调用
*/
if (startReg(env) < 0 ) {
ALOGE("Unable to register all android natives\n");
return;
}
...
char* slashClassName = toSlashClassName(className != NULL ? className : "");
jclass startClass = env->FindClass(slashClassName);
if (startClass == NULL) {
ALOGE("JavaVM unable to locate class '%s'\n", slashClassName);
/* keep going */
} else {
// 这里调用ZygoteInit或者是RuntimeInit的main函数
jmethodID startMeth = env->GetStaticMethodID(startClass, "main",
"([Ljava/lang/String;)V");
if (startMeth == NULL) {
ALOGE("JavaVM unable to find main() in '%s'\n", className);
/* keep going */
} else {
env->CallStaticVoidMethod(startClass, startMeth, strArray);
#if 0
if (env->ExceptionCheck())
threadExitUncaughtException(env);
#endif
}
}
free(slashClassName);
ALOGD("Shutting down VM\n");
if (mJavaVM->DetachCurrentThread() != JNI_OK)
ALOGW("Warning: unable to detach main thread\n");
if (mJavaVM->DestroyJavaVM() != 0)
ALOGW("Warning: VM did not shut down cleanly\n");
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, , `frameworks/base/core/java/com/android/internal/os/ZygoteInit.java`
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
public static void main(String[] argv) {
ZygoteServer zygoteServer = null;
...
try {
...
if (!enableLazyPreload) {
bootTimingsTraceLog.traceBegin("ZygotePreload");
EventLog.writeEvent(LOG_BOOT_PROGRESS_PRELOAD_START,
SystemClock.uptimeMillis());
// 预加载资源,比如类、主题资源、字体资源等等
preload(bootTimingsTraceLog);
EventLog.writeEvent(LOG_BOOT_PROGRESS_PRELOAD_END,
SystemClock.uptimeMillis());
bootTimingsTraceLog.traceEnd(); // ZygotePreload
}
...
Zygote.initNativeState(isPrimaryZygote);
ZygoteHooks.stopZygoteNoThreadCreation();
// 创建socket服务端
zygoteServer = new ZygoteServer(isPrimaryZygote);
// 前面在init.rc中有配置--start-system-server的进程则会进入fork启动SystemServer
if (startSystemServer) {
Runnable r = forkSystemServer(abiList, zygoteSocketName, zygoteServer);
// {@code r == null} in the parent (zygote) process, and {@code r != null} in the
// child (system_server) process.
if (r != null) {
r.run();
return;
}
}
Log.i(TAG, "Accepting command socket connections");
// socket服务端等待AMS的请求,
caller = zygoteServer.runSelectLoop(abiList);
} catch (Throwable ex) {
Log.e(TAG, "System zygote died with fatal exception", ex);
throw ex;
} finally {
if (zygoteServer != null) {
zygoteServer.closeServerSocket();
}
}
// We're in the child process and have exited the select loop. Proceed to execute the
// command.
if (caller != null) {
caller.run();
}
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, , , ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
ZygoteServer(boolean isPrimaryZygote) {
mUsapPoolEventFD = Zygote.getUsapPoolEventFD();
if (isPrimaryZygote) {
mZygoteSocket = Zygote.createManagedSocketFromInitSocket(Zygote.PRIMARY_SOCKET_NAME);
mUsapPoolSocket =
Zygote.createManagedSocketFromInitSocket(
Zygote.USAP_POOL_PRIMARY_SOCKET_NAME);
} else {
mZygoteSocket = Zygote.createManagedSocketFromInitSocket(Zygote.SECONDARY_SOCKET_NAME);
mUsapPoolSocket =
Zygote.createManagedSocketFromInitSocket(
Zygote.USAP_POOL_SECONDARY_SOCKET_NAME);
}
mUsapPoolSupported = true;
fetchUsapPoolPolicyProps();
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
,
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
private static Runnable forkSystemServer(String abiList, String socketName,
ZygoteServer zygoteServer) {
// 服务启动的相关参数,
String[] args = {
"--setuid=1000",
"--setgid=1000",
"--setgroups=1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1018,1021,1023,"
+ "1024,1032,1065,3001,3002,3003,3006,3007,3009,3010,3011",
"--capabilities=" + capabilities + "," + capabilities,
"--nice-name=system_server",
"--runtime-args",
"--target-sdk-version=" + VMRuntime.SDK_VERSION_CUR_DEVELOPMENT,
"com.android.server.SystemServer",
};
ZygoteArguments parsedArgs;
int pid;
try {
...
// 使用fork创建一个SystemServer进程
/* Request to fork the system server process */
pid = Zygote.forkSystemServer(
parsedArgs.mUid, parsedArgs.mGid,
parsedArgs.mGids,
parsedArgs.mRuntimeFlags,
null,
parsedArgs.mPermittedCapabilities,
parsedArgs.mEffectiveCapabilities);
} catch (IllegalArgumentException ex) {
throw new RuntimeException(ex);
}
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
/* For child process */
if (pid == 0) {
if (hasSecondZygote(abiList)) {
waitForSecondaryZygote(socketName);
}
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
zygoteServer.closeServerSocket();
// pid为0的部分,
return handleSystemServerProcess(parsedArgs);
}
return null;
}
private static Runnable handleSystemServerProcess(ZygoteArguments parsedArgs) {
...
ClassLoader cl = getOrCreateSystemServerClassLoader();
if (cl != null) {
Thread.currentThread().setContextClassLoader(cl);
}
// 初始化SystemServer
return ZygoteInit.zygoteInit(parsedArgs.mTargetSdkVersion,
parsedArgs.mDisabledCompatChanges,
parsedArgs.mRemainingArgs, cl);
...
}
public static Runnable zygoteInit(int targetSdkVersion, long[] disabledCompatChanges,
String[] argv, ClassLoader classLoader) {
...
// 继续跟进去
return RuntimeInit.applicationInit(targetSdkVersion, disabledCompatChanges, argv,
classLoader);
}
protected static Runnable applicationInit(int targetSdkVersion, long[] disabledCompatChanges,
String[] argv, ClassLoader classLoader) {
...
// 反射获取com.android.server.SystemServer的入口函数并返回
return findStaticMain(args.startClass, args.startArgs, classLoader);
}
// 可以看到就是通过反射, ,
protected static Runnable findStaticMain(String className, String[] argv,
ClassLoader classLoader) {
Class< ?> cl;
try {
cl = Class.forName(className, true, classLoader);
} catch (ClassNotFoundException ex) {
throw new RuntimeException(
"Missing class when invoking static main " + className,
ex);
}
Method m;
try {
m = cl.getMethod("main", new Class[] { String[].class });
} catch (NoSuchMethodException ex) {
throw new RuntimeException(
"Missing static main on " + className, ex);
} catch (SecurityException ex) {
throw new RuntimeException(
"Problem getting static main on " + className, ex);
}
int modifiers = m.getModifiers();
if (! (Modifier.isStatic(modifiers) & & Modifier.isPublic(modifiers))) {
throw new RuntimeException(
"Main method is not public and static on " + className);
}
/*
* This throw gets caught in ZygoteInit.main(), which responds
* by invoking the exception's run() method. This arrangement
* clears up all the stack frames that were required in setting
* up the process.
*/
return new MethodAndArgsCaller(m, argv);
}
// forkSystemServer最终返回的就是这个类
static class MethodAndArgsCaller implements Runnable {
/** method to call */
private final Method mMethod;
/** argument array */
private final String[] mArgs;
public MethodAndArgsCaller(Method method, String[] args) {
mMethod = method;
mArgs = args;
}
public void run() {
try {
mMethod.invoke(null, new Object[] { mArgs });
} catch (IllegalAccessException ex) {
throw new RuntimeException(ex);
} catch (InvocationTargetException ex) {
Throwable cause = ex.getCause();
if (cause instanceof RuntimeException) {
throw (RuntimeException) cause;
} else if (cause instanceof Error) {
throw (Error) cause;
}
throw new RuntimeException(ex);
}
}
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
, , , `frameworks/base/services/java/com/android/server/SystemServer.java`
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
public static void main(String[] args) {
new SystemServer().run();
}
private void run() {
...
// 创建主线程Looper
Looper.prepareMainLooper();
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
// 初始化系统Context上下文
createSystemContext();
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
// 创建SystemServiceManager,
mSystemServiceManager = new SystemServiceManager(mSystemContext);
mSystemServiceManager.setStartInfo(mRuntimeRestart,
mRuntimeStartElapsedTime, mRuntimeStartUptime);
mDumper.addDumpable(mSystemServiceManager);
LocalServices.addService(SystemServiceManager.class, mSystemServiceManager);
...
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
// 启动各种服务
try {
t.traceBegin("StartServices");
// 启动引导服务
startBootstrapServices(t);
// 启动核心服务
startCoreServices(t);
// 启动其他服务
startOtherServices(t);
} catch (Throwable ex) {
Slog.e("System", "******************************************");
Slog.e("System", "************ Failure starting system services", ex);
throw ex;
} finally {
t.traceEnd(); // StartServices
}
...
// Loop forever.
Looper.loop();
}
// 启动负责引导的服务
private void startBootstrapServices(@NonNull TimingsTraceAndSlog t) {
t.traceBegin("startBootstrapServices");
...
// 启动ActivityManagerService
t.traceBegin("StartActivityManager");
// TODO: Might need to move after migration to WM.
ActivityTaskManagerService atm = mSystemServiceManager.startService(
ActivityTaskManagerService.Lifecycle.class).getService();
mActivityManagerService = ActivityManagerService.Lifecycle.startService(
mSystemServiceManager, atm);
mActivityManagerService.setSystemServiceManager(mSystemServiceManager);
mActivityManagerService.setInstaller(installer);
mWindowManagerGlobalLock = atm.getGlobalLock();
t.traceEnd();
...
}
private void startOtherServices(@NonNull TimingsTraceAndSlog t) {
t.traceBegin("startOtherServices");
...
// 从systemReady开始可以启动第三方应用
mActivityManagerService.systemReady(() -> {
...
}, t);
...
}
// 最后看看systemReady的处理
// frameworks/base/services/java/com/android/server/am/ActivitymanagerService.java
public void systemReady(final Runnable goingCallback, @NonNull TimingsTraceAndSlog t) {
...
Slog.i(TAG, "System now ready");
...
// 启动多用户下的Home Activity,
if (bootingSystemUser) {
t.traceBegin("startHomeOnAllDisplays");
mAtmInternal.startHomeOnAllDisplays(currentUserId, "systemReady");
t.traceEnd();
}
2023-03-06 12:09:21 +08:00
...
2023-03-02 00:49:22 +08:00
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, , ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
Runnable runSelectLoop(String abiList) {
...
socketFDs.add(mZygoteSocket.getFileDescriptor());
peers.add(null);
mUsapPoolRefillTriggerTimestamp = INVALID_TIMESTAMP;
while (true) {
fetchUsapPoolPolicyPropsWithMinInterval();
mUsapPoolRefillAction = UsapPoolRefillAction.NONE;
int[] usapPipeFDs = null;
StructPollfd[] pollFDs;
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
int pollReturnValue;
try {
pollReturnValue = Os.poll(pollFDs, pollTimeoutMs);
} catch (ErrnoException ex) {
throw new RuntimeException("poll failed", ex);
}
...
if (mUsapPoolRefillAction != UsapPoolRefillAction.NONE) {
int[] sessionSocketRawFDs =
socketFDs.subList(1, socketFDs.size())
.stream()
.mapToInt(FileDescriptor::getInt$)
.toArray();
final boolean isPriorityRefill =
mUsapPoolRefillAction == UsapPoolRefillAction.IMMEDIATE;
final Runnable command =
fillUsapPool(sessionSocketRawFDs, isPriorityRefill);
if (command != null) {
return command;
} else if (isPriorityRefill) {
// Schedule a delayed refill to finish refilling the pool.
mUsapPoolRefillTriggerTimestamp = System.currentTimeMillis();
}
}
}
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
Runnable fillUsapPool(int[] sessionSocketRawFDs, boolean isPriorityRefill) {
...
while (--numUsapsToSpawn >= 0) {
Runnable caller =
Zygote.forkUsap(mUsapPoolSocket, sessionSocketRawFDs, isPriorityRefill);
if (caller != null) {
return caller;
}
}
...
return null;
}
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
// 继续追踪关键返回值的函数forkUsap
// 对应文件frameworks/base/core/java/com/android/internal/os/Zygote.java
static @Nullable Runnable forkUsap(LocalServerSocket usapPoolSocket,
int[] sessionSocketRawFDs,
boolean isPriorityFork) {
FileDescriptor readFD;
FileDescriptor writeFD;
try {
FileDescriptor[] pipeFDs = Os.pipe2(O_CLOEXEC);
readFD = pipeFDs[0];
writeFD = pipeFDs[1];
} catch (ErrnoException errnoEx) {
throw new IllegalStateException("Unable to create USAP pipe.", errnoEx);
}
// 这里fork出一个子进程并初始化信息,
int pid = nativeForkApp(readFD.getInt$(), writeFD.getInt$(),
sessionSocketRawFDs, /*argsKnown=*/ false, isPriorityFork);
if (pid == 0) {
IoUtils.closeQuietly(readFD);
// 如果是子进程就调用childMain获取返回值
return childMain(null, usapPoolSocket, writeFD);
} else if (pid == -1) {
// Fork failed.
return null;
} else {
// readFD will be closed by the native code. See removeUsapTableEntry();
IoUtils.closeQuietly(writeFD);
nativeAddUsapTableEntry(pid, readFD.getInt$());
return null;
}
}
// 继续看childMain的实现
private static Runnable childMain(@Nullable ZygoteCommandBuffer argBuffer,
@Nullable LocalServerSocket usapPoolSocket,
FileDescriptor writePipe) {
...
// 初始化应用程序环境,设置应用程序上下文,初始化应用程序线程等等
specializeAppProcess(args.mUid, args.mGid, args.mGids,
args.mRuntimeFlags, rlimits, args.mMountExternal,
args.mSeInfo, args.mNiceName, args.mStartChildZygote,
args.mInstructionSet, args.mAppDataDir, args.mIsTopApp,
args.mPkgDataInfoList, args.mAllowlistedDataInfoList,
args.mBindMountAppDataDirs, args.mBindMountAppStorageDirs);
Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
2023-03-08 10:23:49 +08:00
// 又看到这个了, ,
2023-03-02 00:49:22 +08:00
// 这里最后是反射获取某个java类的main函数封装后返回
return ZygoteInit.zygoteInit(args.mTargetSdkVersion,
args.mDisabledCompatChanges,
args.mRemainingArgs,
null /* classLoader */);
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, , ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
private static void specializeAppProcess(int uid, int gid, int[] gids, int runtimeFlags,
int[][] rlimits, int mountExternal, String seInfo, String niceName,
boolean startChildZygote, String instructionSet, String appDataDir, boolean isTopApp,
String[] pkgDataInfoList, String[] allowlistedDataInfoList,
boolean bindMountAppDataDirs, boolean bindMountAppStorageDirs) {
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
// 可以看到准备的一大堆参数,
nativeSpecializeAppProcess(uid, gid, gids, runtimeFlags, rlimits, mountExternal, seInfo,
niceName, startChildZygote, instructionSet, appDataDir, isTopApp,
pkgDataInfoList, allowlistedDataInfoList,
bindMountAppDataDirs, bindMountAppStorageDirs);
...
}
// 继续查看nativeSpecializeAppProcess
// 文件所在frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
static void com_android_internal_os_Zygote_nativeSpecializeAppProcess(
JNIEnv* env, jclass, jint uid, jint gid, jintArray gids, jint runtime_flags,
jobjectArray rlimits, jint mount_external, jstring se_info, jstring nice_name,
jboolean is_child_zygote, jstring instruction_set, jstring app_data_dir,
jboolean is_top_app, jobjectArray pkg_data_info_list,
jobjectArray allowlisted_data_info_list, jboolean mount_data_dirs,
jboolean mount_storage_dirs) {
jlong capabilities = CalculateCapabilities(env, uid, gid, gids, is_child_zygote);
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
SpecializeCommon(env, uid, gid, gids, runtime_flags, rlimits, capabilities, capabilities,
mount_external, se_info, nice_name, false, is_child_zygote == JNI_TRUE,
instruction_set, app_data_dir, is_top_app == JNI_TRUE, pkg_data_info_list,
allowlisted_data_info_list, mount_data_dirs == JNI_TRUE,
mount_storage_dirs == JNI_TRUE);
}
// 继续查看SpecializeCommon实现
static void SpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArray gids, jint runtime_flags,
jobjectArray rlimits, jlong permitted_capabilities,
jlong effective_capabilities, jint mount_external,
jstring managed_se_info, jstring managed_nice_name,
bool is_system_server, bool is_child_zygote,
jstring managed_instruction_set, jstring managed_app_data_dir,
bool is_top_app, jobjectArray pkg_data_info_list,
jobjectArray allowlisted_data_info_list, bool mount_data_dirs,
bool mount_storage_dirs) {
const char* process_name = is_system_server ? "system_server" : "zygote";
auto fail_fn = std::bind(ZygoteFailure, env, process_name, managed_nice_name, _1);
auto extract_fn = std::bind(ExtractJString, env, process_name, managed_nice_name, _1);
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
auto se_info = extract_fn(managed_se_info);
auto nice_name = extract_fn(managed_nice_name);
auto instruction_set = extract_fn(managed_instruction_set);
auto app_data_dir = extract_fn(managed_app_data_dir);
// 在这里的nick_name就是应用的包名了
const char* nice_name_ptr = nice_name.has_value() ? nice_name.value().c_str() : nullptr;
// 如果是系统服务,
if (is_system_server) {
// Prefetch the classloader for the system server. This is done early to
// allow a tie-down of the proper system server selinux domain.
env->CallStaticObjectMethod(gZygoteInitClass, gGetOrCreateSystemServerClassLoader);
if (env->ExceptionCheck()) {
// Be robust here. The Java code will attempt to create the classloader
// at a later point (but may not have rights to use AoT artifacts).
env->ExceptionClear();
}
}
...
if (selinux_android_setcontext(uid, is_system_server, se_info_ptr, nice_name_ptr) == -1) {
fail_fn(CREATE_ERROR("selinux_android_setcontext(%d, %d, \"%s\", \"%s\") failed", uid,
is_system_server, se_info_ptr, nice_name_ptr));
}
// Make it easier to debug audit logs by setting the main thread's name to the
// nice name rather than "app_process".
if (nice_name.has_value()) {
SetThreadName(nice_name.value());
} else if (is_system_server) {
SetThreadName("system_server");
}
// 调用java层的callPostForkChildHooks函数
// 这个函数主要用来在新创建的子进程中调用回调函数进行初始化。
env->CallStaticVoidMethod(gZygoteClass, gCallPostForkChildHooks, runtime_flags,
is_system_server, is_child_zygote, managed_instruction_set);
...
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-03-02 00:49:22 +08:00
env->CallStaticVoidMethod(gZygoteClass, gCallPostForkChildHooks, runtime_flags,
is_system_server, is_child_zygote, managed_instruction_set);
ALOGW("start CallStaticVoidMethod current process:%s", nice_name_ptr);
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
// 执行脚本初始化编译环境
source ./build/envsetup.sh
// 选择要编译的版本
lunch aosp_blueline-userdebug
// 多线程编译
make -j$(nproc --all)
// 设置刷机目录
2023-04-15 16:36:02 +08:00
export ANDROID_PRODUCT_OUT=~/android_src/mikrom_out/target/product/blueline
2023-03-02 00:49:22 +08:00
// 手机重启进入bootloader
adb reboot bootloader
// 查看手机是否已经进入bootloader了
fastboot devices
// 将刚刚编译的系统刷入手机
fastboot flashall -w
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-28 23:24:06 +08:00
使用android studio的logcat查看日志, `adb logcat > tmp.log` 将日志输出到文件中,再进行观察。
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
system_process W start CallStaticVoidMethod current process:(null)
com.android.bluetooth W start CallStaticVoidMethod current process:com.android.bluetooth
com.android.systemui W start CallStaticVoidMethod current process:com.android.systemui
pid-2292 W start CallStaticVoidMethod current process:WebViewLoader-armeabi-v7a
pid-2293 W start CallStaticVoidMethod current process:WebViewLoader-arm64-v8a
com.android.networkstack W start CallStaticVoidMethod current process:com.android.networkstack.process
com.qualcomm.qti.telephonyservice W start CallStaticVoidMethod current process:com.qualcomm.qti.telephonyservice
pid-2401 W start CallStaticVoidMethod current process:webview_zygote
com.android.se W start CallStaticVoidMethod current process:com.android.se
com.android.phone W start CallStaticVoidMethod current process:com.android.phone
com.android.settings W start CallStaticVoidMethod current process:com.android.settings
android.ext.services W start CallStaticVoidMethod current process:android.ext.services
com.android.launcher3 W start CallStaticVoidMethod current process:com.android.launcher3
com....cellbroadcastreceiver.module W start CallStaticVoidMethod current process:com.android.cellbroadcastreceiver.module
com.android.carrierconfig W start CallStaticVoidMethod current process:com.android.carrierconfig
com.android.providers.blockednumber W start CallStaticVoidMethod current process:android.process.acore
pid-2859 W start CallStaticVoidMethod current process:com.android.deskclock
pid-2899 W start CallStaticVoidMethod current process:com.android.nfc
pid-2927 W start CallStaticVoidMethod current process:com.android.keychain
pid-2944 W start CallStaticVoidMethod current process:com.android.providers.media.module
pid-3028 W start CallStaticVoidMethod current process:com.android.quicksearchbox
pid-3059 W start CallStaticVoidMethod current process:com.android.printspooler
pid-3077 W start CallStaticVoidMethod current process:com.android.music
pid-3112 W start CallStaticVoidMethod current process:com.android.traceur
pid-3145 W start CallStaticVoidMethod current process:com.android.dialer
pid-3151 W start CallStaticVoidMethod current process:android.process.media
pid-3213 W start CallStaticVoidMethod current process:com.android.calendar
pid-3230 W start CallStaticVoidMethod current process:com.android.imsserviceentitlement
pid-3256 W start CallStaticVoidMethod current process:com.android.camera2
pid-3277 W start CallStaticVoidMethod current process:com.android.contacts
pid-3302 W start CallStaticVoidMethod current process:com.android.dynsystem
pid-3322 W start CallStaticVoidMethod current process:com.android.dynsystem:dynsystem
pid-3337 W start CallStaticVoidMethod current process:com.android.inputmethod.latin
pid-3359 W start CallStaticVoidMethod current process:com.android.managedprovisioning
pid-3380 W start CallStaticVoidMethod current process:com.android.messaging
pid-3413 W start CallStaticVoidMethod current process:com.android.onetimeinitializer
pid-3436 W start CallStaticVoidMethod current process:com.android.packageinstaller
pid-3455 W start CallStaticVoidMethod current process:com.android.permissioncontroller
pid-3480 W start CallStaticVoidMethod current process:com.android.providers.calendar
pid-3503 W start CallStaticVoidMethod current process:com.android.settings
pid-3504 W start CallStaticVoidMethod current process:com.android.localtransport
pid-3545 W start CallStaticVoidMethod current process:com.android.shell
pid-3568 W start CallStaticVoidMethod current process:com.android.statementservice
pid-3595 W start CallStaticVoidMethod current process:com.android.quicksearchbox
pid-3615 W start CallStaticVoidMethod current process:com.android.cellbroadcastreceiver.module
pid-3638 W start CallStaticVoidMethod current process:com.android.externalstorage
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
, ,
2023-03-08 10:23:49 +08:00
2023-03-02 00:49:22 +08:00
2023-03-28 23:24:06 +08:00
1. zygote进程启动是通过app_process执行程序启动的
1. 由init进程解析init.rc时启动的第一个zygote
1. 在第一个zygote进程中创建的ZygoteServer,
1. zygote是在ZygoteServer这个服务中收到消息后,
1. 所有进程均来自于zygote进程的fork而来,
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
2023-03-02 00:49:22 +08:00
## 3.7 Android app应用启动
2023-03-08 10:23:49 +08:00
, , , , , , , `MainActivity` 的`onCreate` 的呢。
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, , , , , , ,
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
? , , , , , ,
2023-03-02 00:49:22 +08:00
`frameworks/base/core/java/android/app/LauncherActivity.java` 。
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
public abstract class LauncherActivity extends ListActivity {
...
@Override
protected void onListItemClick(ListView l, View v, int position, long id) {
Intent intent = intentForPosition(position);
startActivity(intent);
}
...
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, `startActivity` 这个函数非常熟悉了,但是`startActivity` 是如何打开一个应用的呢,很多人不会深入了解,但是,有了前文中的一系列基础铺垫,这时你已经能尝试追踪调用链了。现在,继续深入挖掘`startActivity` 的原理。
2023-03-02 00:49:22 +08:00
`frameworks/base/core/java/android/app/Activity.java`
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
public void startActivity(Intent intent, @Nullable Bundle options) {
...
if (options != null) {
startActivityForResult(intent, -1, options);
} else {
// Note we want to go through this call for compatibility with
// applications that may have overridden the method.
startActivityForResult(intent, -1);
}
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
// 继续追踪startActivityForResult
public void startActivityForResult(
String who, Intent intent, int requestCode, @Nullable Bundle options) {
Uri referrer = onProvideReferrer();
if (referrer != null) {
intent.putExtra(Intent.EXTRA_REFERRER, referrer);
}
options = transferSpringboardActivityOptions(options);
Instrumentation.ActivityResult ar =
mInstrumentation.execStartActivity(
this, mMainThread.getApplicationThread(), mToken, who,
intent, requestCode, options);
if (ar != null) {
mMainThread.sendActivityResult(
mToken, who, requestCode,
ar.getResultCode(), ar.getResultData());
}
cancelInputsAndStartExitTransition(options);
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
// 继续追踪execStartActivity
public ActivityResult execStartActivity(
Context who, IBinder contextThread, IBinder token, Activity target,
Intent intent, int requestCode, Bundle options) {
...
try {
intent.migrateExtraStreamToClipData(who);
intent.prepareToLeaveProcess(who);
int result = ActivityTaskManager.getService().startActivity(whoThread,
who.getOpPackageName(), who.getAttributionTag(), intent,
intent.resolveTypeIfNeeded(who.getContentResolver()), token,
target != null ? target.mEmbeddedID : null, requestCode, 0, null, options);
checkStartActivityResult(result, intent);
} catch (RemoteException e) {
throw new RuntimeException("Failure from system", e);
}
return null;
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
`frameworks/base/services/core/java/com/android/server/wm/ActivityTaskManagerService.java`
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
public final int startActivity(IApplicationThread caller, String callingPackage,
String callingFeatureId, Intent intent, String resolvedType, IBinder resultTo,
String resultWho, int requestCode, int startFlags, ProfilerInfo profilerInfo,
Bundle bOptions) {
return startActivityAsUser(caller, callingPackage, callingFeatureId, intent, resolvedType,
resultTo, resultWho, requestCode, startFlags, profilerInfo, bOptions,
UserHandle.getCallingUserId());
}
private int startActivityAsUser(IApplicationThread caller, String callingPackage,
@Nullable String callingFeatureId, Intent intent, String resolvedType,
IBinder resultTo, String resultWho, int requestCode, int startFlags,
ProfilerInfo profilerInfo, Bundle bOptions, int userId, boolean validateIncomingUser) {
...
// TODO: Switch to user app stacks here.
return getActivityStartController().obtainStarter(intent, "startActivityAsUser")
.setCaller(caller)
.setCallingPackage(callingPackage)
.setCallingFeatureId(callingFeatureId)
.setResolvedType(resolvedType)
.setResultTo(resultTo)
.setResultWho(resultWho)
.setRequestCode(requestCode)
.setStartFlags(startFlags)
.setProfilerInfo(profilerInfo)
.setActivityOptions(bOptions)
.setUserId(userId)
.execute();
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
`execute` ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
ActivityStarter obtainStarter(Intent intent, String reason) {
return mFactory.obtain().setIntent(intent).setReason(reason);
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
`ActivityStarter` 类型,找到对应的`excute` 的实现
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
// 处理 Activity 启动请求的接口
2023-03-02 00:49:22 +08:00
int execute() {
...
res = executeRequest(mRequest);
...
}
// 各种权限检查,合法的请求则继续
private int executeRequest(Request request) {
...
mLastStartActivityResult = startActivityUnchecked(r, sourceRecord, voiceSession,
request.voiceInteractor, startFlags, true /* doResume */, checkedOptions, inTask,
restrictedBgActivity, intentGrants);
...
}
private int startActivityUnchecked(final ActivityRecord r, ActivityRecord sourceRecord,
IVoiceInteractionSession voiceSession, IVoiceInteractor voiceInteractor,
int startFlags, boolean doResume, ActivityOptions options, Task inTask,
boolean restrictedBgActivity, NeededUriGrants intentGrants) {
...
Trace.traceBegin(Trace.TRACE_TAG_WINDOW_MANAGER, "startActivityInner");
result = startActivityInner(r, sourceRecord, voiceSession, voiceInteractor,
startFlags, doResume, options, inTask, restrictedBgActivity, intentGrants);
...
}
int startActivityInner(final ActivityRecord r, ActivityRecord sourceRecord,
IVoiceInteractionSession voiceSession, IVoiceInteractor voiceInteractor,
int startFlags, boolean doResume, ActivityOptions options, Task inTask,
boolean restrictedBgActivity, NeededUriGrants intentGrants) {
setInitialState(r, options, inTask, doResume, startFlags, sourceRecord, voiceSession,
voiceInteractor, restrictedBgActivity);
...
// 主要作用是判断当前 activity 是否可见以及是否需要为其新建 Task
mTargetRootTask.startActivityLocked(mStartActivity,
topRootTask != null ? topRootTask.getTopNonFinishingActivity() : null, newTask,
mKeepCurTransition, mOptions, sourceRecord);
if (mDoResume) {
final ActivityRecord topTaskActivity =
mStartActivity.getTask().topRunningActivityLocked();
if (!mTargetRootTask.isTopActivityFocusable()
|| (topTaskActivity != null & & topTaskActivity.isTaskOverlay()
& & mStartActivity != topTaskActivity)) {
...
} else {
if (mTargetRootTask.isTopActivityFocusable()
& & !mRootWindowContainer.isTopDisplayFocusedRootTask(mTargetRootTask)) {
mTargetRootTask.moveToFront("startActivityInner");
}
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
mRootWindowContainer.resumeFocusedTasksTopActivities(
mTargetRootTask, mStartActivity, mOptions, mTransientLaunch);
}
}
...
}
// 将所有聚焦的 Task 的所有 Activity 恢复运行,因为有些刚加入的 Activity 是处于暂停状态的
boolean resumeFocusedTasksTopActivities(
Task targetRootTask, ActivityRecord target, ActivityOptions targetOptions,
boolean deferPause) {
...
for (int displayNdx = getChildCount() - 1; displayNdx >= 0; --displayNdx) {
final DisplayContent display = getChildAt(displayNdx);
...
final Task focusedRoot = display.getFocusedRootTask();
if (focusedRoot != null) {
result |= focusedRoot.resumeTopActivityUncheckedLocked(target, targetOptions);
} else if (targetRootTask == null) {
result |= resumeHomeActivity(null /* prev */, "no-focusable-task",
display.getDefaultTaskDisplayArea());
}
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
}
return result;
}
boolean resumeTopActivityUncheckedLocked(ActivityRecord prev, ActivityOptions options,
boolean deferPause) {
...
someActivityResumed = resumeTopActivityInnerLocked(prev, options, deferPause);
...
}
private boolean resumeTopActivityInnerLocked(ActivityRecord prev, ActivityOptions options,
boolean deferPause) {
...
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
mTaskSupervisor.startSpecificActivity(next, true, true);
...
return true;
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
, ,
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
void startSpecificActivity(ActivityRecord r, boolean andResume, boolean checkConfig) {
// Is this activity's application already running?
final WindowProcessController wpc =
mService.getProcessController(r.processName, r.info.applicationInfo.uid);
boolean knownToBeDead = false;
// 在运行中的直接启动
if (wpc != null & & wpc.hasThread()) {
try {
realStartActivityLocked(r, wpc, andResume, checkConfig);
return;
} catch (RemoteException e) {
Slog.w(TAG, "Exception when starting activity "
+ r.intent.getComponent().flattenToShortString(), e);
}
// If a dead object exception was thrown -- fall through to
// restart the application.
knownToBeDead = true;
}
r.notifyUnknownVisibilityLaunchedForKeyguardTransition();
// 不在运行中则启动新进程
final boolean isTop = andResume & & r.isTopRunningActivity();
mService.startProcessAsync(r, knownToBeDead, isTop, isTop ? "top-activity" : "activity");
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
`startProcessAsync` 调用即可。
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
void startProcessAsync(ActivityRecord activity, boolean knownToBeDead, boolean isTop,
String hostingType) {
try {
if (Trace.isTagEnabled(TRACE_TAG_WINDOW_MANAGER)) {
Trace.traceBegin(TRACE_TAG_WINDOW_MANAGER, "dispatchingStartProcess:"
+ activity.processName);
}
// Post message to start process to avoid possible deadlock of calling into AMS with the
// ATMS lock held.
final Message m = PooledLambda.obtainMessage(ActivityManagerInternal::startProcess,
mAmInternal, activity.processName, activity.info.applicationInfo, knownToBeDead,
isTop, hostingType, activity.intent.getComponent());
mH.sendMessage(m);
} finally {
Trace.traceEnd(TRACE_TAG_WINDOW_MANAGER);
}
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
@Override
public void startProcess(String processName, ApplicationInfo info, boolean knownToBeDead,
boolean isTop, String hostingType, ComponentName hostingName) {
try {
if (Trace.isTagEnabled(Trace.TRACE_TAG_ACTIVITY_MANAGER)) {
Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "startProcess:"
+ processName);
}
synchronized (ActivityManagerService.this) {
// If the process is known as top app, set a hint so when the process is
// started, the top priority can be applied immediately to avoid cpu being
// preempted by other processes before attaching the process of top app.
startProcessLocked(processName, info, knownToBeDead, 0 /* intentFlags */,
new HostingRecord(hostingType, hostingName, isTop),
ZYGOTE_POLICY_FLAG_LATENCY_SENSITIVE, false /* allowWhileBooting */,
false /* isolated */);
}
} finally {
Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
}
}
// 继续追踪startProcessLocked
final ProcessRecord startProcessLocked(String processName,
ApplicationInfo info, boolean knownToBeDead, int intentFlags,
HostingRecord hostingRecord, int zygotePolicyFlags, boolean allowWhileBooting,
boolean isolated) {
return mProcessList.startProcessLocked(processName, info, knownToBeDead, intentFlags,
hostingRecord, zygotePolicyFlags, allowWhileBooting, isolated, 0 /* isolatedUid */,
null /* ABI override */, null /* entryPoint */,
null /* entryPointArgs */, null /* crashHandler */);
}
// 在这里初始化了一堆进程信息,然后调用了另一个重载
// 并且注意entryPoint赋值android.app.ActivityThread
boolean startProcessLocked(ProcessRecord app, HostingRecord hostingRecord,
int zygotePolicyFlags, boolean disableHiddenApiChecks, boolean disableTestApiChecks,
String abiOverride) {
...
// the PID of the new process, or else throw a RuntimeException.
final String entryPoint = "android.app.ActivityThread";
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
return startProcessLocked(hostingRecord, entryPoint, app, uid, gids,
runtimeFlags, zygotePolicyFlags, mountExternal, seInfo, requiredAbi,
instructionSet, invokeWith, startTime);
}
2023-03-06 12:09:21 +08:00
//
2023-03-02 00:49:22 +08:00
boolean startProcessLocked(HostingRecord hostingRecord, String entryPoint, ProcessRecord app,
int uid, int[] gids, int runtimeFlags, int zygotePolicyFlags, int mountExternal,
String seInfo, String requiredAbi, String instructionSet, String invokeWith,
long startTime) {
...
final Process.ProcessStartResult startResult = startProcess(hostingRecord,
entryPoint, app,
uid, gids, runtimeFlags, zygotePolicyFlags, mountExternal, seInfo,
requiredAbi, instructionSet, invokeWith, startTime);
handleProcessStartedLocked(app, startResult.pid, startResult.usingWrapper,
startSeq, false);
...
return app.getPid() > 0;
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
}
// 继续查看startProcess
private Process.ProcessStartResult startProcess(HostingRecord hostingRecord, String entryPoint,
ProcessRecord app, int uid, int[] gids, int runtimeFlags, int zygotePolicyFlags,
int mountExternal, String seInfo, String requiredAbi, String instructionSet,
String invokeWith, long startTime) {
...
final Process.ProcessStartResult startResult;
boolean regularZygote = false;
// 这里根据应用情况使用不同类型的zygote来启动进程
if (hostingRecord.usesWebviewZygote()) {
startResult = startWebView(entryPoint,
app.processName, uid, uid, gids, runtimeFlags, mountExternal,
app.info.targetSdkVersion, seInfo, requiredAbi, instructionSet,
app.info.dataDir, null, app.info.packageName,
app.getDisabledCompatChanges(),
new String[]{PROC_START_SEQ_IDENT + app.getStartSeq()});
} else if (hostingRecord.usesAppZygote()) {
final AppZygote appZygote = createAppZygoteForProcessIfNeeded(app);
// We can't isolate app data and storage data as parent zygote already did that.
startResult = appZygote.getProcess().start(entryPoint,
app.processName, uid, uid, gids, runtimeFlags, mountExternal,
app.info.targetSdkVersion, seInfo, requiredAbi, instructionSet,
app.info.dataDir, null, app.info.packageName,
/*zygotePolicyFlags=*/ ZYGOTE_POLICY_FLAG_EMPTY, isTopApp,
app.getDisabledCompatChanges(), pkgDataInfoMap, allowlistedAppDataInfoMap,
false, false,
new String[]{PROC_START_SEQ_IDENT + app.getStartSeq()});
} else {
regularZygote = true;
startResult = Process.start(entryPoint,
app.processName, uid, uid, gids, runtimeFlags, mountExternal,
app.info.targetSdkVersion, seInfo, requiredAbi, instructionSet,
app.info.dataDir, invokeWith, app.info.packageName, zygotePolicyFlags,
isTopApp, app.getDisabledCompatChanges(), pkgDataInfoMap,
allowlistedAppDataInfoMap, bindMountAppsData, bindMountAppStorageDirs,
new String[]{PROC_START_SEQ_IDENT + app.getStartSeq()});
}
if (!regularZygote) {
// webview and app zygote don't have the permission to create the nodes
if (Process.createProcessGroup(uid, startResult.pid) < 0 ) {
Slog.e(ActivityManagerService.TAG, "Unable to create process group for "
+ app.processName + " (" + startResult.pid + ")");
}
}
...
return startResult;
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
`zygote` 有三种类型,根据启动的应用信息使用不同类型的`zygote` 来启动。
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
1. regularZygote 常规进程,
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
2. appZygote 应用进程,比常规进程多一些限制。
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
3. webviewZygote 辅助zygote进程, ,
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
public ChildZygoteProcess getProcess() {
synchronized (mLock) {
if (mZygote != null) return mZygote;
connectToZygoteIfNeededLocked();
return mZygote;
}
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
`ChildZygoteProcess` 的`start` 函数,然后找到类定义后,发现没有`start` ,那么应该就是父类中的实现。
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
public class ChildZygoteProcess extends ZygoteProcess {
private final int mPid;
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
ChildZygoteProcess(LocalSocketAddress socketAddress, int pid) {
super(socketAddress, null);
mPid = pid;
}
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
public int getPid() {
return mPid;
}
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
, ,
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
public final Process.ProcessStartResult start(...) {
...
return startViaZygote(processClass, niceName, uid, gid, gids,
runtimeFlags, mountExternal, targetSdkVersion, seInfo,
abi, instructionSet, appDataDir, invokeWith, /*startChildZygote=*/ false,
packageName, zygotePolicyFlags, isTopApp, disabledCompatChanges,
pkgDataInfoMap, allowlistedDataInfoList, bindMountAppsData,
bindMountAppStorageDirs, zygoteArgs);
...
}
private Process.ProcessStartResult startViaZygote(...)
throws ZygoteStartFailedEx {
ArrayList< String > argsForZygote = new ArrayList< >();
// 前面是将前面准备的参数填充好
// --runtime-args, --setuid=, --setgid=,
// and --setgroups= must go first
argsForZygote.add("--runtime-args");
argsForZygote.add("--setuid=" + uid);
argsForZygote.add("--setgid=" + gid);
argsForZygote.add("--runtime-flags=" + runtimeFlags);
if (mountExternal == Zygote.MOUNT_EXTERNAL_DEFAULT) {
argsForZygote.add("--mount-external-default");
} else if (mountExternal == Zygote.MOUNT_EXTERNAL_INSTALLER) {
argsForZygote.add("--mount-external-installer");
} else if (mountExternal == Zygote.MOUNT_EXTERNAL_PASS_THROUGH) {
argsForZygote.add("--mount-external-pass-through");
} else if (mountExternal == Zygote.MOUNT_EXTERNAL_ANDROID_WRITABLE) {
argsForZygote.add("--mount-external-android-writable");
}
...
synchronized(mLock) {
// The USAP pool can not be used if the application will not use the systems graphics
// driver. If that driver is requested use the Zygote application start path.
return zygoteSendArgsAndGetResult(openZygoteSocketIfNeeded(abi),
zygotePolicyFlags,
argsForZygote);
}
}
private Process.ProcessStartResult zygoteSendArgsAndGetResult(
ZygoteState zygoteState, int zygotePolicyFlags, @NonNull ArrayList< String > args)
throws ZygoteStartFailedEx {
...
//是否用非特定的应用程序进程池进行处理,默认不使用
if (shouldAttemptUsapLaunch(zygotePolicyFlags, args)) {
try {
return attemptUsapSendArgsAndGetResult(zygoteState, msgStr);
} catch (IOException ex) {
// If there was an IOException using the USAP pool we will log the error and
// attempt to start the process through the Zygote.
Log.e(LOG_TAG, "IO Exception while communicating with USAP pool - "
+ ex.getMessage());
}
}
return attemptZygoteSendArgsAndGetResult(zygoteState, msgStr);
}
private Process.ProcessStartResult attemptZygoteSendArgsAndGetResult(
ZygoteState zygoteState, String msgStr) throws ZygoteStartFailedEx {
try {
final BufferedWriter zygoteWriter = zygoteState.mZygoteOutputWriter;
final DataInputStream zygoteInputStream = zygoteState.mZygoteInputStream;
// 这里实际就是连接SocketServer了,
zygoteWriter.write(msgStr);
zygoteWriter.flush();
Process.ProcessStartResult result = new Process.ProcessStartResult();
result.pid = zygoteInputStream.readInt();
result.usingWrapper = zygoteInputStream.readBoolean();
// ZygoteServer创建好进程后,
if (result.pid < 0 ) {
throw new ZygoteStartFailedEx("fork() failed");
}
return result;
} catch (IOException ex) {
zygoteState.close();
Log.e(LOG_TAG, "IO Exception while communicating with Zygote - "
+ ex.toString());
throw new ZygoteStartFailedEx(ex);
}
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
`ZygoteServer` 启动进程的流程,当时看到执行到最后是`findStaticMain` 函数, , , `startProcessLocked` 函数中能看到类名赋值是`android.app.ActivityThread` ,所以这里和`ZygoteServer` 进行通信创建线程,最后调用的函数就是`android.app.ActivityThread` 中的`main` 函数。这样一来,启动流程就衔接上了。
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
`ActivityThread` 是Android应用程序运行的UI主线程, , , `prepareMainLooper` 函数将实例化一个`Looper` 对象,然后由`Looper` 对象创建一个消息队列,当`loop` 函数调用时, ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
public static void main(String[] args) {
2023-03-04 18:05:05 +08:00
...
Looper.prepareMainLooper();
2023-03-02 00:49:22 +08:00
...
ActivityThread thread = new ActivityThread();
thread.attach(false, startSeq);
2023-03-04 18:05:05 +08:00
// 主线程消息循环处理的handler
if (sMainThreadHandler == null) {
sMainThreadHandler = thread.getHandler();
}
2023-03-02 00:49:22 +08:00
...
Looper.loop();
}
//接着看attach做了什么
private void attach(boolean system, long startSeq) {
...
mgr.attachApplication(mAppThread, startSeq);
...
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
`loop` 函数,在这里直接是一个死循环进行`loopOnce` 调用
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
public static void loop() {
...
for (;;) {
if (!loopOnce(me, ident, thresholdOverride)) {
return;
}
}
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
`loopOnce` 的实现, ,
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
private static boolean loopOnce(final Looper me,
final long ident, final int thresholdOverride) {
Message msg = me.mQueue.next(); // might block
if (msg == null) {
// No message indicates that the message queue is quitting.
return false;
}
...
2023-03-06 12:09:21 +08:00
msg.target.dispatchMessage(msg);
2023-03-04 18:05:05 +08:00
...
return true;
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
,
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
public Handler getHandler() {
return mH;
}
// 继续查看mH是如何赋值,
final H mH = new H();
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
`Handler` 了。看看相关实现。
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
class H extends Handler {
public static final int BIND_APPLICATION = 110;
@UnsupportedAppUsage
public static final int EXIT_APPLICATION = 111;
...
String codeToString(int code) {
if (DEBUG_MESSAGES) {
switch (code) {
case BIND_APPLICATION: return "BIND_APPLICATION";
case EXIT_APPLICATION: return "EXIT_APPLICATION";
...
}
}
return Integer.toString(code);
}
public void handleMessage(Message msg) {
if (DEBUG_MESSAGES) Slog.v(TAG, ">>> handling: " + codeToString(msg.what));
switch (msg.what) {
case BIND_APPLICATION:
Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "bindApplication");
AppBindData data = (AppBindData)msg.obj;
handleBindApplication(data);
Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
break;
case EXIT_APPLICATION:
if (mInitialApplication != null) {
mInitialApplication.onTerminate();
}
Looper.myLooper().quit();
break;
...
}
...
}
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
`attach` 中的处理,`mgr` 就是`AMS` ,所以来到`ActivityManagerService` 查看`attachApplication` :
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
public final void attachApplication(IApplicationThread thread, long startSeq) {
if (thread == null) {
throw new SecurityException("Invalid application interface");
}
synchronized (this) {
int callingPid = Binder.getCallingPid();
final int callingUid = Binder.getCallingUid();
final long origId = Binder.clearCallingIdentity();
attachApplicationLocked(thread, callingPid, callingUid, startSeq);
Binder.restoreCallingIdentity(origId);
}
}
// 继续追踪attachApplicationLocked
private boolean attachApplicationLocked(@NonNull IApplicationThread thread,
int pid, int callingUid, long startSeq) {
...
if (app.getIsolatedEntryPoint() != null) {
// This is an isolated process which should just call an entry point instead of
// being bound to an application.
thread.runIsolatedEntryPoint(
app.getIsolatedEntryPoint(), app.getIsolatedEntryPointArgs());
} else if (instr2 != null) {
thread.bindApplication(processName, appInfo, providerList,
instr2.mClass,
profilerInfo, instr2.mArguments,
instr2.mWatcher,
instr2.mUiAutomationConnection, testMode,
mBinderTransactionTrackingEnabled, enableTrackAllocation,
isRestrictedBackupMode || !normalMode, app.isPersistent(),
new Configuration(app.getWindowProcessController().getConfiguration()),
app.getCompat(), getCommonServicesLocked(app.isolated),
mCoreSettingsObserver.getCoreSettingsLocked(),
buildSerial, autofillOptions, contentCaptureOptions,
app.getDisabledCompatChanges(), serializedSystemFontMap);
} else {
thread.bindApplication(processName, appInfo, providerList, null, profilerInfo,
null, null, null, testMode,
mBinderTransactionTrackingEnabled, enableTrackAllocation,
isRestrictedBackupMode || !normalMode, app.isPersistent(),
new Configuration(app.getWindowProcessController().getConfiguration()),
app.getCompat(), getCommonServicesLocked(app.isolated),
mCoreSettingsObserver.getCoreSettingsLocked(),
buildSerial, autofillOptions, contentCaptureOptions,
app.getDisabledCompatChanges(), serializedSystemFontMap);
}
...
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
,
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
public final void bindApplication(...) {
...
AppBindData data = new AppBindData();
data.processName = processName;
data.appInfo = appInfo;
data.providers = providerList.getList();
data.instrumentationName = instrumentationName;
data.instrumentationArgs = instrumentationArgs;
data.instrumentationWatcher = instrumentationWatcher;
data.instrumentationUiAutomationConnection = instrumentationUiConnection;
data.debugMode = debugMode;
data.enableBinderTracking = enableBinderTracking;
data.trackAllocation = trackAllocation;
data.restrictedBackupMode = isRestrictedBackupMode;
data.persistent = persistent;
data.config = config;
data.compatInfo = compatInfo;
data.initProfilerInfo = profilerInfo;
data.buildSerial = buildSerial;
data.autofillOptions = autofillOptions;
data.contentCaptureOptions = contentCaptureOptions;
data.disabledCompatChanges = disabledCompatChanges;
data.mSerializedSystemFontMap = serializedSystemFontMap;
sendMessage(H.BIND_APPLICATION, data);
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
`AppBindData` 数据初始化完成了,最后发送消息`BIND_APPLICATION` 通知准备就绪,并将准备好的数据发送过去。查看消息循环的处理部分`handleMessage` 函数,看这个数据传给哪个函数处理了。
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
public void handleMessage(Message msg) {
if (DEBUG_MESSAGES) Slog.v(TAG, ">>> handling: " + codeToString(msg.what));
switch (msg.what) {
case BIND_APPLICATION:
Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "bindApplication");
AppBindData data = (AppBindData)msg.obj;
handleBindApplication(data);
Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
break;
...
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
`handleBindApplication` ,继续追踪这个函数
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
private void handleBindApplication(AppBindData data) {
...
//前面准备好的data数据赋值给了mBoundApplication
mBoundApplication = data;
...
// 创建出了Context
final ContextImpl appContext = ContextImpl.createAppContext(this, data.info);
...
Application app;
final StrictMode.ThreadPolicy savedPolicy = StrictMode.allowThreadDiskWrites();
final StrictMode.ThreadPolicy writesAllowedPolicy = StrictMode.getThreadPolicy();
try {
// 创建出了Application
app = data.info.makeApplication(data.restrictedBackupMode, null);
...
// Application赋值给了mInitialApplication
mInitialApplication = app;
...
try {
mInstrumentation.callApplicationOnCreate(app);
} catch (Exception e) {
...
}
} finally {
...
}
...
}
// 看看是如何创建出Application的
public Application makeApplication(boolean forceDefaultAppClass,
Instrumentation instrumentation) {
if (mApplication != null) {
return mApplication;
}
...
app = mActivityThread.mInstrumentation.newApplication(
cl, appClass, appContext);
...
return app;
}
// 继续看newApplication的实现
static public Application newApplication(Class< ?> clazz, Context context)
2023-03-06 12:09:21 +08:00
throws InstantiationException, IllegalAccessException,
2023-03-02 00:49:22 +08:00
ClassNotFoundException {
Application app = (Application)clazz.newInstance();
// 最后发现调用了attach
app.attach(context);
return app;
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
`Context` 的创建和`Application` 的创建, `onCreate` 的,继续追踪`callApplicationOnCreate` 的实现
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-02 00:49:22 +08:00
public void callApplicationOnCreate(Application app) {
...
app.onCreate();
}
2023-03-06 12:09:21 +08:00
```
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, `onCreate` 函数, , ,
2023-03-02 00:49:22 +08:00
TODO 流程图
2023-03-08 10:23:49 +08:00
, , , , ,
2023-03-02 00:49:22 +08:00
## 3.8 了解Service
, , , , , , , , ,
2023-03-08 10:23:49 +08:00
, , `forkSystemServer` 执行到`SystemServer` 来启动一系列的Service。这些Service有着各自负责的功能, , `AMS` 。而启动了`AMS` 的`SystemServer` 也是一个服务, , ,
2023-03-02 00:49:22 +08:00
2023-03-08 10:23:49 +08:00
, , , , , , , , , , , , , , ,
2023-03-02 00:49:22 +08:00
, ,
2023-03-06 12:09:21 +08:00
, , ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
: ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
: , ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
: ,
2023-03-02 00:49:22 +08:00
: ,
,
, , , , ,
, ,
, , , , , ,
, , ,
, ,
,
,
, ,
,
,
, , ,
2023-03-06 12:09:21 +08:00
: , , ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
: , , ,
, , ,
, , , , ,
, , , , , , ,
,
, ,
, ,
, ,
,
2023-03-06 12:09:21 +08:00
,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
, ,
2023-03-02 00:49:22 +08:00
,
2023-03-06 12:09:21 +08:00
, , ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
,
2023-03-02 00:49:22 +08:00
,
2023-03-06 12:09:21 +08:00
,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
, ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
, , , ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
, , ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
, , ,
2023-03-02 00:49:22 +08:00
2023-03-06 12:09:21 +08:00
, , ,
2023-03-02 00:49:22 +08:00
, , ,
, ,
2023-03-08 10:23:49 +08:00
, , , ,
2023-03-04 18:05:05 +08:00
## 3.9 了解Framework
2023-03-08 10:23:49 +08:00
, , , , , , , , , , , ,
看一张经典的架构图。
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
, :
2023-03-04 18:05:05 +08:00
1. Activity Manager:
2. Content Providers:
3. Package Manager: , ,
4. Resource Manager: , , ,
5. Notification Manager:
6. Telephony Manager: , ,
7. Location Manager:
8. View System: , ,
9. Window Manager: ,
10. Package Installer:
11. Resource Manager: , ,
12. Activity和Fragment:
2023-03-08 10:23:49 +08:00
, , , , , ,
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
TelephonyManager tm = (TelephonyManager) this.getSystemService(TELEPHONY_SERVICE);
/*
* 电话状态:
* 1.tm.CALL_STATE_IDLE=0 无活动
* 2.tm.CALL_STATE_RINGING=1 响铃
* 3.tm.CALL_STATE_OFFHOOK=2 摘机
*/
int state= tm.getCallState();//int
Log.i("MainActivity","phone state "+state);
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
, , ,
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
public Object getSystemService(@ServiceName @NonNull String name) {
if (getBaseContext() == null) {
throw new IllegalStateException(
"System services not available to Activities before onCreate()");
}
if (WINDOW_SERVICE.equals(name)) {
return mWindowManager;
} else if (SEARCH_SERVICE.equals(name)) {
ensureSearchManager();
return mSearchManager;
}
return super.getSystemService(name);
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
, ,
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
public Object getSystemService(String name) {
if (LAYOUT_INFLATER_SERVICE.equals(name)) {
if (mInflater == null) {
mInflater = LayoutInflater.from(getBaseContext()).cloneInContext(this);
}
return mInflater;
}
return getBaseContext().getSystemService(name);
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
public Object getSystemService(String name) {
...
return SystemServiceRegistry.getSystemService(this, name);
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
public static Object getSystemService(ContextImpl ctx, String name) {
if (name == null) {
return null;
}
final ServiceFetcher< ?> fetcher = SYSTEM_SERVICE_FETCHERS.get(name);
if (fetcher == null) {
if (sEnableServiceNotFoundWtf) {
Slog.wtf(TAG, "Unknown manager requested: " + name);
}
return null;
}
final Object ret = fetcher.getService(ctx);
...
return ret;
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
,
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
private static < T > void registerService(@NonNull String serviceName,
@NonNull Class< T > serviceClass, @NonNull ServiceFetcher< T > serviceFetcher) {
SYSTEM_SERVICE_NAMES.put(serviceClass, serviceName);
SYSTEM_SERVICE_FETCHERS.put(serviceName, serviceFetcher);
SYSTEM_SERVICE_CLASS_NAMES.put(serviceName, serviceClass.getSimpleName());
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
`registerService` 函数注册。顺着这个函数,找到在`SystemServiceRegistry` 类中进行了大量的系统服务注册,如果添加一个自定义的系统服务,同样也是需要在这里进行系统服务的注册。
看看TelephonyManager中getCallState函数的实现。
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
public @CallState int getCallState() {
if (mContext != null) {
TelecomManager telecomManager = mContext.getSystemService(TelecomManager.class);
if (telecomManager != null) {
return telecomManager.getCallState();
}
}
return CALL_STATE_IDLE;
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
public @CallState int getCallState() {
ITelecomService service = getTelecomService();
if (service != null) {
try {
return service.getCallStateUsingPackage(mContext.getPackageName(),
mContext.getAttributionTag());
} catch (RemoteException e) {
Log.d(TAG, "RemoteException calling getCallState().", e);
}
}
return TelephonyManager.CALL_STATE_IDLE;
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
, ,
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
public int getCallStateUsingPackage(String callingPackage, String callingFeatureId) {
try {
Log.startSession("TSI.getCallStateUsingPackage");
if (CompatChanges.isChangeEnabled(
TelecomManager.ENABLE_GET_CALL_STATE_PERMISSION_PROTECTION, callingPackage,
Binder.getCallingUserHandle())) {
// Bypass canReadPhoneState check if this is being called from SHELL UID
if (Binder.getCallingUid() != Process.SHELL_UID & & !canReadPhoneState(
callingPackage, callingFeatureId, "getCallState")) {
throw new SecurityException("getCallState API requires READ_PHONE_STATE"
+ " for API version 31+");
}
}
synchronized (mLock) {
return mCallsManager.getCallState();
}
} finally {
Log.endSession();
}
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
,
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
int getCallState() {
return mPhoneStateBroadcaster.getCallState();
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
, , , , , , , , ,
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
final class PhoneStateBroadcaster extends CallsManagerListenerBase {
...
@Override
public void onCallStateChanged(Call call, int oldState, int newState) {
if (call.isExternalCall()) {
return;
}
updateStates(call);
}
@Override
public void onCallAdded(Call call) {
if (call.isExternalCall()) {
return;
}
updateStates(call);
if (call.isEmergencyCall() & & !call.isIncoming()) {
sendOutgoingEmergencyCallEvent(call);
}
}
@Override
public void onCallRemoved(Call call) {
if (call.isExternalCall()) {
return;
}
updateStates(call);
}
@Override
public void onExternalCallChanged(Call call, boolean isExternalCall) {
updateStates(call);
}
private void updateStates(Call call) {
int callState = TelephonyManager.CALL_STATE_IDLE;
if (mCallsManager.hasRingingOrSimulatedRingingCall()) {
callState = TelephonyManager.CALL_STATE_RINGING;
} else if (mCallsManager.getFirstCallWithState(CallState.DIALING, CallState.PULLING,
CallState.ACTIVE, CallState.ON_HOLD) != null) {
callState = TelephonyManager.CALL_STATE_OFFHOOK;
}
sendPhoneStateChangedBroadcast(call, callState);
}
int getCallState() {
return mCurrentState;
}
2023-03-06 12:09:21 +08:00
2023-03-04 18:05:05 +08:00
private void sendPhoneStateChangedBroadcast(Call call, int phoneState) {
if (phoneState == mCurrentState) {
return;
}
mCurrentState = phoneState;
...
}
...
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
## 3.9 了解libcore
, , , , , ,
, ,
, ,
, , ( ) , , , ,
在ojluni子库中, :
1. java.lang包: ,
2. java.util包: ,
3. java.io包: ,
4. java.net包: ,
2023-03-08 10:23:49 +08:00
, , , , , `tree` 命令展开目录的树状图。
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
tree ./libcore/ojluni/src/main/java/ -d
├── com
│ └── sun
│ ├── net
│ │ └── ssl
│ │ └── internal
│ │ └── ssl
│ ├── nio
│ │ └── file
│ └── security
│ └── cert
│ └── internal
│ └── x509
├── java
│ ├── awt
│ │ └── font
│ ├── beans
│ ├── io
│ ├── lang
│ │ ├── annotation
│ │ ├── invoke
│ │ ├── ref
│ │ └── reflect
│ ├── math
│ ├── net
│ ├── nio
│ │ ├── channels
│ │ │ └── spi
│ │ ├── charset
│ │ │ └── spi
│ │ └── file
│ │ ├── attribute
│ │ └── spi
│ ├── security
│ │ ├── acl
│ │ ├── cert
│ │ ├── interfaces
│ │ └── spec
│ ├── sql
│ ├── text
│ ├── time
│ │ ├── chrono
│ │ ├── format
│ │ ├── temporal
│ │ └── zone
│ └── util
│ ├── concurrent
│ │ ├── atomic
│ │ └── locks
│ ├── function
│ ├── jar
│ ├── logging
│ ├── prefs
│ ├── regex
│ ├── stream
│ └── zip
├── javax
│ ├── crypto
│ │ ├── interfaces
│ │ └── spec
│ ├── net
│ │ └── ssl
│ ├── security
│ │ ├── auth
│ │ │ ├── callback
│ │ │ ├── login
│ │ │ └── x500
│ │ └── cert
│ └── sql
│ └── rowset
├── jdk
│ ├── internal
│ │ ├── util
│ │ └── vm
│ │ └── annotation
│ └── net
└── sun
├── invoke
│ └── util
├── misc
├── net
│ ├── ftp
│ │ └── impl
│ ├── spi
│ │ └── nameservice
│ ├── util
│ └── www
│ └── protocol
│ ├── file
│ ├── ftp
│ └── jar
├── nio
│ ├── ch
│ ├── cs
│ └── fs
├── reflect
│ └── misc
├── security
│ ├── action
│ ├── jca
│ ├── pkcs
│ ├── provider
│ │ └── certpath
│ ├── timestamp
│ ├── util
│ └── x509
└── util
├── calendar
├── locale
│ └── provider
├── logging
└── resources
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
## 3.11 了解sepolicy
, ,
在Android中, , , ,
具体而言, :
1. 限制应用程序访问系统的资源,例如系统设置、网络接口等。
2. 限制应用程序的使用权限,例如读取联系人、访问存储空间等。
3. 保护系统文件和目录,防止应用程序和攻击者修改和删除系统关键文件。
4. 限制system_server和其他服务的访问权限,
为了实现这些功能, , :
1. Type Enforcemen是一种强制式访问控制( ) , ( ) ( ) ,
2. Role Based Access Control( ) : ,
3. Mandatory Access Control( ) :
通过以上措施的组合, , ,
2023-03-08 10:23:49 +08:00
, , , `./system/sepolicy/` 目录中,`public` 、`private` 、`prebuilts` 目录下。
2023-03-04 18:05:05 +08:00
1. `public` :该目录包含 Android 系统与函数库等公共的 sepolicy 规则。这些规则是开发人员和厂商可以自由使用和修改的,因为这些规则涉及到的是公共区域的访问控制。
2. `private` :该目录包含硬编码到 Android 系统中的特定规则。这些规则用于控制既定的 Android 系统功能和应用程序,例如拨号应用程序、电源管理等,因此这些规则不能被修改或覆盖。
3. `prebuilts` : 该目录包含预制的 sepolicy 文件,通常在 Android 设备的启动映像中用于定制芯片厂商的定制设备。它包括一组针对不同芯片和设备制造商的 sepolicy 规则和策略,找不到与特定设备相关联的策略时,预置策略可作为 Fallback 值。
, *.te( ) .fc( )
`public` 目录中的公共 sepolicy 规则,然后会使用 `private` 目录中的预设规则来控制既定的 Android 系统功能和应用程序。如果系统需要更改某些规则,系统会加载 `public` 和 `private` 目录中的规则文件,并根据这些文件进行修改。
`public` 和 `private` 目录中,则系统需要使用预制的 `prebuilts` 规则对新规则进行对比。因为预置的 prebuilts 规则是与设备和芯片厂商紧密相关的,因此这有助于系统保持原有的稳定性和设备兼容性,并防止在修改规则时发生不可预测的错误。
2023-03-08 10:23:49 +08:00
`./system/sepolicy/public/adbd.te`
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
type adbd, domain;
allow adbd shell_test_data_file:dir create_dir_perms;
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
- `adbd` :指定进程的类型;
- `domain` :指定域的类型;
- `shell_test_data_file` :指定目录的类型。
规则使用了`allow` 关键字,表示允许某些操作。具体来说,上述规则允许`adbd` 类型的进程在`shell_test_data_file` 目录下创建目录,并且该目录将被赋予允许创建子目录的权限(由`create_dir_perms` 定义)。
`adbd` 进程需要在`shell_test_data_file` 目录下创建子目录时,允许该操作,并为新创建的目录设置适当的权限。注意,这个规则只对该目录有效,不能用于其他目录。
`com_android_internal_os_Zygote.cpp` 的`SpecializeCommon` 函数中加入如下代码,
2023-03-06 12:09:21 +08:00
```cpp
2023-03-04 18:05:05 +08:00
std::string filepath="/data/app/demo";
ReadFileToString(filepath,& file_contents)
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
avc: denied { search } for name="app" dev="dm-8" ino=100 scontext=u:r:zygote:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=0
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
, `avc: denied` 是出现最频繁的提示之一,
`avc: denied` 之外,还有其他一些可能出现的提示信息。以下是一些常见提示信息以及它们的含义:
,
,
,
, ,
scontext和tcontext中的“u”, :
,
( ) ,
( ) ,
2023-03-08 10:23:49 +08:00
`ps -eZ` 来查看进程的scontext。
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
ps -eZ
u:r:servicemanager:s0 system 672 1 10860740 3784 SyS_epoll+ 0 S servicemanager
u:r:hwservicemanager:s0 system 673 1 10880928 4648 SyS_epoll+ 0 S hwservicemanager
u:r:kernel:s0 root 674 2 0 0 worker_th+ 0 S [kworker/7:1H]
u:r:vndservicemanager:s0 system 675 1 10813436 2884 SyS_epoll+ 0 S vndservicemanager
u:r:kernel:s0 root 676 2 0 0 kthread_w+ 0 S [psimon]
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
`ls -Z` 来查看文件的scontext
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
cd /data/app
ls -Z -all
drwxrwxr-x 3 system system u:object_r:apk_data_file:s0 3488 2023-02-26 21:50:57.968696920 +0800 ~~QZ-rYHaywe6nr2ryYn3UoQ==
drwxrwxr-x 3 system system u:object_r:apk_data_file:s0 3488 2023-03-02 22:12:29.802016689 +0800 ~~W9dmzmphiDsjJm79RiBwdg==
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
`selinux` 拒绝搜索一个目录, , , `u:r:zygote:s0` , , `u:object_r:apk_data_file:s0` , , `apk_data_file` ,表示应用程序的数据文件。`tclass` 表示请求对象的类型,`dir` 为适用于目录,`file` 表示适用于文件
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
avc: denied { search } for name="app" dev="dm-8" ino=100 scontext=u:r:zygote:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=0
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
`system/sepolicy/private/zygote.te` ,然后添加策略如下
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
allow zygote apk_data_file:dir search;
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
, , `system/sepolicy/prebuilts/api/31.0/private/zygote.te` 下添加相同的策略即可成功编译。
, , , ,
2023-03-08 10:23:49 +08:00
`neverallow` 。这种情况可以找到对应的`neverallow` ,进行修改添加一个白名单来放过添加的规则。例如下面这个例子
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
neverallow {
coredomain
-fsck
-init
-ueventd
-zygote
} device:{ blk_file file } no_rw_file_perms;
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
`device` 类型的文件,其中-zygote, `-` 表示排除掉这种进程,如果被设置了永不允许,只要找到对应的设置处,添加上排除对应进程即可成功编译了。
## 3.12 了解Linker
,
: , ,
: , ,
, `bionic/linker` 。该目录包含Linker的核心实现, , `linker.c` 是Linker的主要入口点, `linker_phdr.c` 是负责加载和处理ELF格式库文件的代码, `linker_namespaces.cpp` 负责管理命名空间的代码,`linker_relocs.cpp` 负责处理重定位的代码,`linker_sleb128.cpp` 和`linker_uleb128.cpp` 负责压缩和解压缩数据的实现等。除了`bionic/linker` 目录外, ,
2023-03-08 10:23:49 +08:00
,
2023-03-04 18:05:05 +08:00
### 3.12.1 ELF格式
, ( ) ( ) , , ,
, , ( ) , ,
, :
, , ,
, , ,
, , , , ,
, , ,
2023-03-08 10:23:49 +08:00
`Android Studio` 创建一个Native C++的项目, , , `app-debug\lib\arm64-v8a\` 目录, `010 Editor` 编辑器工具中。
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
`010 Editor` 编辑器安装一个ELF格式解析的模板, , ,
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
, , , , ,
2023-03-04 18:05:05 +08:00
( ) :
1. e_ident:
2. e_type:
3. e_machine:
4. e_version:
5. e_entry:
6. e_phoff: ( ) ( )
7. e_shoff: ( ) ( )
8. e_flags: ,
9. e_ehsize:
10. e_phentsize: ( )
11. e_phnum:
12. e_shentsize: ( )
13. e_shnum:
14. e_shstrndx:
, ,
( ) ,
每个 program header table 具有相同的固定结构,包含如下字段:
1. p_type: ,
2. p_offset:
3. p_vaddr:
4. p_paddr:
5. p_filesz: ( )
6. p_memsz: ( )
7. p_flags: ,
8. p_align: ,
( ) ( ) , ,
每个 section header table entry, :
: ( ) ,
: ,
: ( ) , ,
: ( )
: ( )
: , ( ) , ,
:
: ( )
: ( ) ,
,
,
`.dynsym` 节: ( ) , `.dynsym` 节可以协助动态加载器( )
`.dynstr` 节:该节包含字符串表,用于存放符号表中的字符串,包括函数名、变量名、库名等等。
`.rela.dyn` 节:该节包含重定位入口表,是 LD( ) `.rel.dyn` 节中每个入口包含需要进行重定位的位置及其要执行的重定位类型等信息。
`.rela.plt` 节:该节也是重定位入口表,但是它只包含用于实现远程函数调用 JUMP SLOT 的入口并跳转过去时需要使用的数据。这些数据是符号的信息,包括符号表中该引用的符号的编号以及重定位类型等等。动态链接器在对 `.rel.plt` 节进行重定位时,会在 GDB stub 中实现远程调用。
`.plt` 节:保存了远程函数调用实现的跳转代码。
`.rodata` 节:包含程序中只读数据的代码段,如字符串常量、全局常量等等。
`.text` 节:程序的主要代码存放在该节中。该节包含可执行代码的机器语言指令,例如函数代码、条件语句、循环语句等等。
`.bss` 节点( ) , ,
`.shstrtab` 节点( ) ,
( ) , , ,
2023-03-08 10:23:49 +08:00
`stringFromJni` 的符号信息。
2023-03-04 18:05:05 +08:00
在 dynamic_symbol_table 中,每个 symbol entry 包含以下信息:
- `st_name` :符号的名称在字符串表节中的偏移量。通过这个偏移量,可以获得符号的名称。
- `st_value` :符号的值,表示符号的地址或偏移量,其含义取决于符号类型。
- `st_size` :符号的大小,即占用的字节数。
- `st_info` :符号的相关信息,包括符号的类型(在最高位),以及局部或全局符号等其他信息(低位)。
- `st_other` :符号的其他信息,通常为 0。
- `st_shndx` : 指向存放符号的Section Header的索引。可以通过该索引找到存储符号的节
`st_info` 字段包括符号的类型和其他属性信息。类型的值可以是以下之一:
- `STT_NOTYPE` :未知类型。
- `STT_OBJECT` : 对象符号,表示一个数据对象。
- `STT_FUNC` : 函数符号,表示相关联的符号是一个函数或可执行指令。
- `STT_SECTION` :表示该符号是一个节。
- `STT_FILE` :表示该符号是源文件名的符号。
- `STB_LOCAL` :局部符号,只在共享库内部可用。
- `STB_GLOBAL` :全局符号,可以在其他共享库和可执行文件中使用。
- `STB_WEAK` :弱符号,在多个地方定义时,优先级较低。
### 3.12.2 动态加载流程
( ) ( ) , , , , :
1. 根据系统的运行时需求, , , ,
2. 在进行动态链接的过程中, , ,
3. 解析符号表。Linker会读取库文件的符号表, ,
4. 检查符号表中的函数的其他库依赖项。如果当前库依赖于其他库,
5. 调整符号地址。Linker会修改符号表中的函数地址, ,
6. 执行初始化和清理代码。在所有库和函数都被解析、链接和装载之后, ,
7. Linker动态加载过程中还会涉及到如动态追加、卸载等操作。
2023-03-08 10:23:49 +08:00
,
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
public class MainActivity extends AppCompatActivity {
// Used to load the 'linkertest' library on application startup.
static {
System.loadLibrary("linkertest");
}
...
public native String stringFromJNI();
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
, , , , `libcore/ojluni/src/main/java/java/lang/System.java` 查看函数实现如下。
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
public static void loadLibrary(String libname) {
Runtime.getRuntime().loadLibrary0(Reflection.getCallerClass(), libname);
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```java
2023-03-04 18:05:05 +08:00
void loadLibrary0(Class< ?> fromClass, String libname) {
ClassLoader classLoader = ClassLoader.getClassLoader(fromClass);
loadLibrary0(classLoader, fromClass, libname);
}
private synchronized void loadLibrary0(ClassLoader loader, Class< ?> callerClass, String libname) {
...
String libraryName = libname;
// 如果classloader不是BootClassLoader
if (loader != null & & !(loader instanceof BootClassLoader)) {
String filename = loader.findLibrary(libraryName);
if (filename == null & &
(loader.getClass() == PathClassLoader.class ||
loader.getClass() == DelegateLastClassLoader.class)) {
2023-03-06 12:09:21 +08:00
2023-03-04 18:05:05 +08:00
filename = System.mapLibraryName(libraryName);
}
...
String error = nativeLoad(filename, loader);
if (error != null) {
throw new UnsatisfiedLinkError(error);
}
return;
}
getLibPaths();
String filename = System.mapLibraryName(libraryName);
String error = nativeLoad(filename, loader, callerClass);
if (error != null) {
throw new UnsatisfiedLinkError(error);
}
}
// 看到不管是哪个Classloader都是调用的nativeLoad,
private static String nativeLoad(String filename, ClassLoader loader) {
return nativeLoad(filename, loader, null);
}
// 三个参数重载的是一个native函数
private static native String nativeLoad(String filename, ClassLoader loader, Class< ?> caller);
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```c++
2023-03-04 18:05:05 +08:00
// 调用了JVM_NativeLoad
JNIEXPORT jstring JNICALL
Runtime_nativeLoad(JNIEnv* env, jclass ignored, jstring javaFilename,
jobject javaLoader, jclass caller)
{
return JVM_NativeLoad(env, javaFilename, javaLoader, caller);
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
,
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-03-04 18:05:05 +08:00
JNIEXPORT jstring JVM_NativeLoad(JNIEnv* env,
jstring javaFilename,
jobject javaLoader,
jclass caller) {
ScopedUtfChars filename(env, javaFilename);
if (filename.c_str() == nullptr) {
return nullptr;
}
std::string error_msg;
{
art::JavaVMExt* vm = art::Runtime::Current()->GetJavaVM();
bool success = vm->LoadNativeLibrary(env,
filename.c_str(),
javaLoader,
caller,
&error_msg);
if (success) {
return nullptr;
}
}
...
}
// 继续找到相关实现
bool JavaVMExt::LoadNativeLibrary(JNIEnv* env,
const std::string& path,
jobject class_loader,
jclass caller_class,
std::string* error_msg) {
error_msg->clear();
SharedLibrary* library;
Thread* self = Thread::Current();
{
MutexLock mu(self, *Locks::jni_libraries_lock_);
library = libraries_->Get(path);
}
...
// 已经加载过的,
if (library != nullptr) {
...
return true;
}
ScopedLocalRef< jstring > library_path(env, GetLibrarySearchPath(env, class_loader));
Locks::mutator_lock_->AssertNotHeld(self);
const char* path_str = path.empty() ? nullptr : path.c_str();
bool needs_native_bridge = false;
char* nativeloader_error_msg = nullptr;
// 加载动态链接库
void* handle = android::OpenNativeLibrary(
env,
runtime_->GetTargetSdkVersion(),
path_str,
class_loader,
(caller_location.empty() ? nullptr : caller_location.c_str()),
library_path.get(),
& needs_native_bridge,
&nativeloader_error_msg);
VLOG(jni) << "[Call to dlopen(\"" < < path << " \", RTLD_NOW ) returned " << handle << "]";
...
bool created_library = false;
{
std::unique_ptr< SharedLibrary > new_library(
new SharedLibrary(env,
self,
path,
handle,
needs_native_bridge,
class_loader,
class_loader_allocator));
MutexLock mu(self, *Locks::jni_libraries_lock_);
library = libraries_->Get(path);
// 将刚刚加载好的链接库保存起来
if (library == nullptr) { // We won race to get libraries_lock.
library = new_library.release();
libraries_->Put(path, library);
created_library = true;
}
}
...
bool was_successful = false;
// 查找符号JNI_OnLoad
void* sym = library->FindSymbol("JNI_OnLoad", nullptr);
if (sym == nullptr) {
...
} else {
ScopedLocalRef< jobject > old_class_loader(env, env->NewLocalRef(self->GetClassLoaderOverride()));
self->SetClassLoaderOverride(class_loader);
VLOG(jni) << "[Calling JNI_OnLoad in \"" < < path << " \"]";
using JNI_OnLoadFn = int(*)(JavaVM*, void*);
JNI_OnLoadFn jni_on_load = reinterpret_cast< JNI_OnLoadFn > (sym);
// 调用JNI_OnLoad
int version = (*jni_on_load)(this, nullptr);
...
}
library->SetResult(was_successful);
return was_successful;
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
`OpenNativeLibrary` 来加载一个动态库, , `libraries_` 中,下次再加载时,会在`libraries_` 查看是否存在, , ,
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-03-04 18:05:05 +08:00
void* OpenNativeLibrary(JNIEnv* env, int32_t target_sdk_version, const char* path,
jobject class_loader, const char* caller_location, jstring library_path,
bool* needs_native_bridge, char** error_msg) {
#if defined(ART_TARGET_ANDROID)
UNUSED(target_sdk_version);
if (class_loader == nullptr) {
...
void* handle = android_dlopen_ext(path, RTLD_NOW, &dlextinfo);
if (handle == nullptr) {
*error_msg = strdup(dlerror());
}
return handle;
...
{
Result< void * > handle = TryLoadNativeloaderExtraLib(path);
if (!handle.ok()) {
*error_msg = strdup(handle.error().message().c_str());
return nullptr;
}
if (handle.value() != nullptr) {
return handle.value();
}
}
...
void* handle = OpenSystemLibrary(path, RTLD_NOW);
if (handle == nullptr) {
*error_msg = strdup(dlerror());
}
return handle;
}
...
#else
for (const std::string& lib_path : library_paths) {
...
void* handle = dlopen(path_arg, RTLD_NOW);
if (handle != nullptr) {
return handle;
}
if (NativeBridgeIsSupported(path_arg)) {
*needs_native_bridge = true;
handle = NativeBridgeLoadLibrary(path_arg, RTLD_NOW);
if (handle != nullptr) {
return handle;
}
*error_msg = strdup(NativeBridgeGetError());
} else {
*error_msg = strdup(dlerror());
}
}
return nullptr;
#endif
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
, ,
1. android_dlopen_ext: ,
2. TryLoadNativeloaderExtraLib:
3. OpenSystemLibrary:
, , : ; ;
2023-03-08 10:23:49 +08:00
`android_dlopen_ext` 深入分析,
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-03-04 18:05:05 +08:00
void* android_dlopen_ext(const char* filename, int flag, const android_dlextinfo* extinfo) {
const void* caller_addr = __builtin_return_address(0);
return __loader_android_dlopen_ext(filename, flag, extinfo, caller_addr);
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-03-04 18:05:05 +08:00
void* __loader_android_dlopen_ext(const char* filename,
int flags,
const android_dlextinfo* extinfo,
const void* caller_addr) {
return dlopen_ext(filename, flags, extinfo, caller_addr);
}
static void* dlopen_ext(const char* filename,
int flags,
const android_dlextinfo* extinfo,
const void* caller_addr) {
ScopedPthreadMutexLocker locker(&g_dl_mutex);
g_linker_logger.ResetState();
void* result = do_dlopen(filename, flags, extinfo, caller_addr);
if (result == nullptr) {
__bionic_format_dlerror("dlopen failed", linker_get_error_buffer());
return nullptr;
}
return result;
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
,
2023-03-06 12:09:21 +08:00
```cpp
2023-03-04 18:05:05 +08:00
void* do_dlopen(const char* name, int flags,
const android_dlextinfo* extinfo,
const void* caller_addr) {
...
soinfo* si = find_library(ns, translated_name, flags, extinfo, caller);
loading_trace.End();
if (si != nullptr) {
void* handle = si->to_handle();
LD_LOG(kLogDlopen,
"... dlopen calling constructors: realpath=\"%s\", soname=\"%s\", handle=%p",
si->get_realpath(), si->get_soname(), handle);
si->call_constructors();
failure_guard.Disable();
LD_LOG(kLogDlopen,
"... dlopen successful: realpath=\"%s\", soname=\"%s\", handle=%p",
si->get_realpath(), si->get_soname(), handle);
return handle;
}
return nullptr;
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
`find_library` 进行查找的,找到后又调用了`call_constructors` 函数。先看看`call_constructors` 函数的处理。
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-03-04 18:05:05 +08:00
void soinfo::call_constructors() {
if (constructors_called || g_is_ldd) {
return;
}
...
call_function("DT_INIT", init_func_, get_realpath());
call_array("DT_INIT_ARRAY", init_array_, init_array_count_, false, get_realpath());
...
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
`.init` 和`.initarray` 执行的地方,继续看加载的流程。
2023-03-04 18:05:05 +08:00
2023-03-06 12:09:21 +08:00
```cpp
2023-03-04 18:05:05 +08:00
static soinfo* find_library(android_namespace_t* ns,
const char* name, int rtld_flags,
const android_dlextinfo* extinfo,
soinfo* needed_by) {
soinfo* si = nullptr;
if (name == nullptr) {
si = solist_get_somain();
} else if (!find_libraries(ns,
needed_by,
& name,
1,
& si,
nullptr,
0,
rtld_flags,
extinfo,
false /* add_as_children */)) {
if (si != nullptr) {
soinfo_unload(si);
}
return nullptr;
}
si->increment_ref_count();
return si;
}
// 继续向下跟踪
bool find_libraries(...) {
...
ZipArchiveCache zip_archive_cache;
soinfo_list_t new_global_group_members;
for (size_t i = 0; i< load_tasks.size ( ) ; + + i ) {
。。。
if (!find_library_internal(const_cast< android_namespace_t * > (task->get_start_from()),
task,
& zip_archive_cache,
& load_tasks,
rtld_flags)) {
return false;
}
soinfo* si = task->get_soinfo();
}
...
return true;
}
//追踪find_library_internal
static bool find_library_internal(android_namespace_t* ns,
LoadTask* task,
ZipArchiveCache* zip_archive_cache,
LoadTaskList* load_tasks,
int rtld_flags) {
soinfo* candidate;
...
if (load_library(ns, task, zip_archive_cache, load_tasks, rtld_flags,
true /* search_linked_namespaces */)) {
return true;
}
...
return false;
}
static bool load_library(android_namespace_t* ns,
LoadTask* task,
ZipArchiveCache* zip_archive_cache,
LoadTaskList* load_tasks,
int rtld_flags,
bool search_linked_namespaces) {
const char* name = task->get_name();
soinfo* needed_by = task->get_needed_by();
...
LD_LOG(kLogDlopen,
"load_library(ns=%s, task=%s, flags=0x%x, search_linked_namespaces=%d): calling "
"open_library",
ns->get_name(), name, rtld_flags, search_linked_namespaces);
// Open the file.
off64_t file_offset;
std::string realpath;
int fd = open_library(ns, zip_archive_cache, name, needed_by, & file_offset, &realpath);
...
return load_library(ns, task, load_tasks, rtld_flags, realpath, search_linked_namespaces);
}
// open_library打开动态库文件将指定的共享库文件加载到当前进程的地址空间中, ,
static int open_library(android_namespace_t* ns,
ZipArchiveCache* zip_archive_cache,
const char* name, soinfo *needed_by,
off64_t* file_offset, std::string* realpath) {
TRACE("[ opening %s from namespace %s ]", name, ns->get_name());
// If the name contains a slash, we should attempt to open it directly and not search the paths.
if (strchr(name, '/') != nullptr) {
return open_library_at_path(zip_archive_cache, name, file_offset, realpath);
}
...
return fd;
}
// load_library加载解析ELF格式并将其链接到进程的地址空间中, ,
static bool load_library(android_namespace_t* ns,
LoadTask* task,
LoadTaskList* load_tasks,
int rtld_flags,
const std::string& realpath,
bool search_linked_namespaces) {
...
soinfo* si = soinfo_alloc(ns, realpath.c_str(), & file_stat, file_offset, rtld_flags);
task->set_soinfo(si);
// 读取elf header
if (!task->read(realpath.c_str(), file_stat.st_size)) {
task->remove_cached_elf_reader();
task->set_soinfo(nullptr);
soinfo_free(si);
return false;
}
...
return true;
}
// 最后看看read函数,
bool read(const char* realpath, off64_t file_size) {
ElfReader& elf_reader = get_elf_reader();
return elf_reader.Read(realpath, fd_, file_offset_, file_size);
}
2023-03-06 12:09:21 +08:00
```
2023-03-04 18:05:05 +08:00
, , , ,
ElfReader具备以下特点:
- 能够读取ELF文件的头信息,
- 能够读取ELF文件的节表信息,
- 通过节表信息可以获取符号表、重定位表、动态链接表等关键信息,如函数、变量、链接库、导出函数等。
- 支持通过指定节表名称获取某个节表的信息,如根据".rodata"获取只读数据节表的信息等。
在Android开发过程中, ,
2023-03-08 10:23:49 +08:00
`linker` 提供的一些函数来操作动态库,相关函数如下。
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
2023-03-04 18:05:05 +08:00
2023-03-08 10:23:49 +08:00
2023-03-02 00:49:22 +08:00
2023-03-04 18:05:05 +08:00
## 小结
2023-03-02 00:49:22 +08:00
2023-03-04 18:05:05 +08:00
TODO
