Android初始化流程简要分析

《Android初始化流程简要分析》由会员分享，可在线阅读，更多相关《Android初始化流程简要分析（39页珍藏版）》请在装配图网上搜索。

1、AndroidAndroid 初始化流程简要分析lirankeTABLE OF CONTENTS1 INIT PROCESS 21.1 Main function （弓丨自 sdk 参考文档） 21.1.1 Process step: 21.1.2 start services: 31.2 FLOW CHART： 41.2.1 Flow chart: 41.3 ANALYsE： 51.3.1 FD: 51.4 sYsTEM sTATUs 71.4.1 Process list 72 ADBD 93 SERVICEMANAGER 93.1 iNTROCUCE 93.2 COMPiLER103.3

2、 FLOW:103.3.1 Main ofFrameworksbasecmdsservicemanagerservice_manager.c103.4 MAiN_RUNTiMER.CPP 164 MOUNTD 174.1 ANALYsE 175 DEBUGGERD 185.1 CHART186 RILD 186.1 CHART186.1.1 RiL Architecture: 186.1.2 RiL Flow:197 ZYGOTE 207.1 iNTRODUCE207.2 APP_PROCEss217.2.1 compile: 217.2.2 Class chart:227.2.3 Flow

3、chart: 227.3 ZYGOTEINIT 247.3.1 compile: 247.3.2 ZygoteInit Main function flow chart 248 SYSTEM_SERVER 268.1 COMPILE: 268.2 ANALYSE: 278.2.1 Server Class chart 278.2.2 Syste_init 288.2.3 startSystemServer 298.2.4 runSelectLoopMode 298.2.5con text = ActivityManagerService.ma in( factoryTest)的 勺执行过程36

4、9 MEDIA 3810 BOOTSOUND 3811 DBUS 3812 INSTALLD 3812.1CHART3812 . 2ANALYSE 391 Init processInit is the first process after kernel is started. Init code local at system/core/init(Android) dir, main function is included init.c. Init is called by kernel_init function localling at init(kernel) dir, via e

5、xecve function.1.1 Main function (引自 sdk参考文档)Init is the first process after kernel is started. Init code local at system/core/init(Android) dir, main function is included init.c. Init is called by kernel_init function localling at init(kernel) dir, via execve function.1.1.1 Process step:1. Mount ba

6、sic file system, and nitialize log system.2. Parse /init.rc and /init.%hardware%.rc.3. Execute early-init action in init.rc.4. Device specific initialize.5. Initialize property system, and load android image, then print ” ANDROID”.6. Execute init action in init.rc.7. Start property service.8. Execut

7、e early-boot and boot actions in init.rc.9. Execute property action in init.rc.10. Enter into an indefinite loop to wait for device/property set/child process exit events. For example, if anSD card is plugined, init will receive a device add event, so it can make node for the device. Most of the imp

8、ortant process is forked in init, so if any of them crashed, init will receive a SIGCHLD then translate it into a child process exit event, so in the loop init can handle the process exit event and execute the commands defined in *.rc(it will run command onrestart).1.1.2 Start services:The .rc file

9、is a script file defined by Android. The default is device/system/rootdir/init.rc. We can take a loot at the file format(device/system/init/readme.txt is a good overall introduction of the script). Basically the script file contains actions and services.Init.rc will run the following services:consol

10、e: star a shell. The source is in device/system/bin/sh.adbd: start adb daemon. The source is in device/tools/adbd. By default is disabled.servicemanager: start binder system. The source is in device/commands/binder.mountd: mount all fs defined in /system/etc/mountd.conf if started, receive commands

11、through local socket to mount any fs. The source is in device/system/bin/mountd.debuggerd: start debug system. The source is in device/system/bin/debuggerd.rild: start radio interface layer daemon. The source is in device/commands/rild.zygote: start Android Java Runtime and start system serve.r Its

12、the most important service. The source is in device/servers/app.media: start AudioFlinger, MediaPlayerService and CameraService. The source is in device/commands/mediaserver.bootsound: play the default boot sound /system/media/audio/ui/boot.mp3. The source is in device/commands/playmp3.dbus: start d

13、bus daemon, its only used by BlueZ. The source is in device/system/Bluetooth/dbus-daemon.hcid:redirect hcids stdout and stderr to the Androidlogging system.Thesourceisindevice/system/bin/logwrapper. By default is disabled.hfag:start Bluetooth handsfree audio gateway, its onlyused by BlueZ.Thesourcei

14、sindevice/system/Bluetooth/bluez-utils. By default is disabled.hsag:start Bluetooth headset audio gateway, its onlyused by BlueZ.Thesourceisindevice/system/Bluetooth/bluez-utils. By default is disabled.installd: start install package daemon. The source is in device/servers/installd.flash_recovery: l

15、oad /system/recovery.img. The source is in device/commands/recovery/mtdutils.1.2 Flow chart：1.2.1 Flow chart:1.3 Analyse：1.3.1 FD:FD Include :device _fd, property_set_fd, signal_recv_fd, signal_fd(global value)ufds: struct pollfd ufds4 = device _fd , property_set_fd , signal_recv_fd , keychord_fd 1.

16、 device_fdFd:device_fd2. property_set_fdFd: property_set_fdClient(load_properties_from_file)(2) Property_set_fd C/S chart:#define PROP_SERVICE_NAME property_serviceServer(start_property_service)fd = create_socket(PROP_SERVICE_NAME, SOCK_STREAM,0666, 0, 0);/socket and bindfcntl(fd, F_SETFD, FD_CLOEXE

17、C); fcntl(fd, F_SETFL, O_NONBLOCK);listen(fd, 8);r = send(s, msg, sizeof(prop_msg), 0)socket_local_client(PROP_SERVICE_NAME,ANDROID_SOCKET_NAMESPACE_RESERVED,SOCK_STREAM);/socket, connects = accept(fd, (struct sockaddr *) &addr, & addr_size)r = recv(s, &msg, sizeof(msg), 0);Close(fd)Close(fd)3. sign

18、al_recv_fdsignal_recv_fd and signal_fd:/* create a signalling mechanism for the sigchld handler */ if (socketpair(AF_UNIX, SOCK_STREAM, 0, s) = 0) signal_fd = s0;signal_recv_fd = s1; fcntl(s0, F_SETFD, FD_CLOEXEC); fcntl(s0, F_SETFL, O_NONBLOCK);fcntl(s1, F_SETFD, FD_CLOEXEC); fcntl(s1, F_SETFL, O_N

19、ONBLOCK);/read signal read(signal_recv_fd, tmp, sizeof(tmp);while (!wait_for_one_process(0); / 阻塞4. signal_fd( see to signal_recv_fd)1.4 System status1.4.1 Process listUSERPIDPPID VSIZE RSS WCHAN PC NAMEroot10548196c00b8c14 0000d5cc S /initroot2000c006bf70 00000000 S kthreaddroot3200c005cc50 0000000

20、0 S ksoftirqd/0root4200c007e408 00000000 S watchdog/0root5200c0068eec 00000000 S events/0root6200c0068eec 00000000 S khelperroot10200c0224f90 00000000 S suspend/0root81200c0068eec 00000000 S kblockd/0root89200c01f2f7c 00000000 S kseriodroot111200c0068eec 00000000 S kmmcdroot117200c0068eec 00000000 S

21、 btaddconnroot118200c0068eec 00000000 S btdelconnroot135200c00448e0 00000000 S bpmdroot141200c008b5f4 00000000 S pdflushroot142200c008b5f4 00000000 S pdflushroot143200c008f948 00000000 S kswapd0root189200c0068eec 00000000 S aio/0root195200c01721f0 00000000 S mtdblockdroot3402root3492root3762root3782

22、root3862root4282root4302root7242root7261system7271root7291root7301root7311root7321radio7331root7341root7351root7361root7371root7401root7411root7681root7691root8162system825734radio877734app_5879734system882734app_45884734app_22890734app_3918734app_5928734app_24930734app_18960734app_8979734app_999173

23、4app_1599873433848 4512ffffffff afe0c47c S /system/bin/mediaserver1080216c00b8c14 bedc021c S /system/bin/dbus-daemon832208c02b6e80 afe0c1dc S /system/bin/installd856260c00b92b0 afe0c5a4 S /opl/bin/bpd828172c00b8c14 afe0d27c S /opl/bin/battmond720272c02265ec afe0c1dc S /system/bin/logcat716264c02265e

24、c afe0c1dc S /system/bin/logcat00c0068eec 00000000 S battery.0system1018734app_141025734app_421041734app_401090734app_381102734app_261115734app_37112673400c01b4eb0 00000000 S accessory notif00c0068eec 00000000 S camera_task/000c0061438 00000000 S w1_control00c0061438 00000000 S w1_bus_master100c0068

25、eec 00000000 S charge ?00c02ca26c 00000000 S krfcommd00c0068eec 00000000 S rpciod/000c0216908 00000000 S mmcqd772 180 c019dbc4 afe0c1dc S /system/bin/sh840 188 c022d8a0 afe0c47c S /system/bin/servicemanager1920 336 ffffffff afe0c1dc S /system/bin/mountd704 176 c0257854 afe0ce0c S /system/bin/debugge

26、rd4132 628 c027e2f8 afe0ce0c S /opl/bin/tcmd852 248 c00b92b0 afe0c5a4 S /opl/bin/adapter12796 648 ffffffff beaab18c S /system/bin/rild72000 14172 c00b92b0 afe0c5a4 S zygote574128 28360 ffffffff afe0c47c Ssystem_server158260 20040 ffffffff afe0d404 S com.android.phone100888 13616 ffffffff afe0d404 S

27、android.process.acore144664 24296 ffffffff afe0d404 S android.process.omsservice92304 10932 ffffffff afe0d404 S com.motorola.motohome117068 30228 ffffffff afe0d404 S oms.home98760 12652 ffffffff afe0d404 S oms.widgetmanager100888 13336 ffffffff afe0d404 S com.android.inputmethod.borqs105176 19168 ff

28、ffffff afe0d404 S com.db4o.servo.search104180 15208 ffffffff afe0d404 S com.android.mms118860 14044 ffffffff afe0d404 S android.process.media91980 12264 ffffffff afe0d404 S com.android.alarmclock103144 12908 ffffffff afe0d404 S oms.dcd 94732 13792 ffffffff afe0d404 S oms.dm95636 13036 ffffffff afe0d

29、404 S com.android.calendar93292 11316 ffffffff afe0d404 S com.motorola.smsautoreg97152 15192 ffffffff afe0d404 S com.motorola.mtc93832 12868 ffffffff afe0d404 S com.streamezzo.browser.android96596 15084 ffffffff afe0d404 S oms.mediacenter98208 15212 ffffffff afe0d404 S com.hyfsoft.docviewerapp_20114

30、673499260 15320 ffffffff afe0d404 S com.android.musicapp_471157734100204 15964 ffffffff afe0d404 S com.motorola.cameraapp_111183734122672 23576 ffffffff afe0d404 S com.android.browserapp_61199734117032 20388 ffffffff afe0d404 S oms.mobilemusicsystem124473499292 15940 ffffffff afe0d404 S com.android.

31、settingsapp_23131173496932 16004 ffffffff afe0d404 S oms.bruroot1334200c0216908 00000000 S mmcqdapp_81351734100308 15876 ffffffff afe0d404 S com.android.cameraapp_11424734111904 17024 ffffffff afe0d404 S oms.messagingapp_41436734101172 15504 ffffffff afe0d404 S oms.mailapp_21484734100716 18128 fffff

32、fff afe0d404 S com.msapp_161663734101024 16748 ffffffff afe0d404 S oms.android.filemanagerroot168413364 176 ffffffff 0000e8f4 S /sbin/adbdroot16921684776348c0059cd4 afe0d0ac S /system/bin/shroot1724169292035600000000 afe0c1dc R ps从真正的应用层的角度来看，所有的应用程序(如settings,media)的父进程都是zygote.因为任何一个应用都是一个 VM。2 Ad

33、bdSee to Android Adb Analyse3 Servicemanager3.1IntrocuceBinder 通信简介：Linux 系统中进程间通信的方式有:socket, named pipe,message queque, signal,share memory。Java 系统中的进 程间通信方式有socket, named pipe 等, android应用程序理所当然可以应用JAVA的IPC机制实现进程间的通 信，但我查看android的源码，在同一终端上的应用软件的通信几乎看不到这些IPC通信方式，取而代之的是 Binder通信。Google为什么要采用这种方式呢，这

34、取决于Binder通信方式的高效率。Binder通信是通过linux 的binder driver来实现的，Binder通信操作类似线程迁移(thread migration)，两个进程间IPC看起来就象是一 个进程进入另一个进程执行代码然后带着执行的结果返回。 Binder 的用户空间为每一个进程维护着一个可用 的线程池，线程池用于处理到来的IPC以及执行进程本地消息，Binder通信是同步而不是异步。Android中的Binder通信是基于Service与Client的，所有需要IBinder通信的进程都必须创建一个IBinder 接口，系统中有一个进程管理所有的system servic

35、e,Android不允许用户添加非授权的System service,当然现在 源码开发了，我们可以修改一些代码来实现添加底层system Service的目的。对用户程序来说，我们也要创 建server，或者Service用于进程间通信，这里有一个ActivityManagerService管理JAVA应用层所有的service 创建与连接(connect),disconnect,所有的Activity也是通过这个service来启动，加载的。ActivityManagerService 也是加载在Systems Servcie中的。Syste m service 也就是扌旨的 System

36、 Service Manager，即进程为 servicemanager.Android虚拟机启动之前系统会先启动service Manager进程,service Manager打开binder驱动，并通知binder kernel驱动程序这个进程将作为System Service Manager，然后该进程将进入一个循环，等待处理来自其他进 程的数据。用户创建一个System service后，通过defaultServiceManager得到一个远程ServiceManager的接口，通过这个接口我们可以调用addService函数将System service添加到Service Ma

37、nager进程中，然后client 可以通过getService获取到需要连接的目的Service的IBinder对象，这个IBinder是Service的BBinder在binder kernel的一个参考，所以service IBinder在binder kernel中不会存在相同的两个IBinder对象，每一个Client 进程同样需要打开Binder驱动程序。对用户程序而言，我们获得这个对象就可以通过binder kernel访问service 对象中的方法。Client与Service在不同的进程中，通过这种方式实现了类似线程间的迁移的通信方式，对用 户程序而言当调用Service返

38、回的IBinder接口后，访问Service中的方法就如同调用自己的函数。3.2Compiler1. path: frameworks/base/cmds/servicemanagerfile: service_manager.cbinder.binder.c2. Android.mkifneq ($(TARGET_SIMULATOR),true)LOCAL_PATH:= $(call my-dir)#include $(CLEAR_VARS)#LOCAL_SRC_FILES := bctest.c binder.c#LOCAL_MODULE := bctest#include $(BUILD

39、_EXECUTABLE)include $(CLEAR_VARS)LOCAL_SHARED_LIBRARIES := liblogLOCAL_SRC_FILES := service_manager.c binder.cLOCAL_MODULE := servicemanagerinclude $(BUILD_EXECUTABLE)endif3.3 Flow:3.3.1 Main of Frameworksbasecmdsservicemanagerservice_manager.cint main(int argc, char *argv)struct binder_state *bs;定义

40、一个 binder 驱动结构void *svcmgr = BINDER_SERVICE_MANAGER;/服务管理进程的句柄bs = binder_open(128*1024);/打开驱动，并为驱动映射内存调用ioctl告诉Binder Kernel驱动程序这是一个服务管理进程if (binder_become_context_manager(bs) LOGE(cannot become context manager (%s)n, strerror(errno);return -1;svcmgr_handle = svcmgr; 全局变量 void *svcmgr_handle,初始值为(v

41、oid*) 0) /进入无限循环，调用 binder_loop 等待来自其他进程的数据/binder_handler 为处理函数 int svcmgr_handler(struct binder_state *bs, struct binder_txn *txn, struct binder_io *msg, struct binder_io *reply) binder_loop(bs, svcmgr_handler);return 0;1. binder_state 定义： struct binder_stateint fd;void *mapped;/分配的内存空间unsigned ma

42、psize;/内存空间的大小;2. binder_become_context_manager function:int binder_become_context_manager(struct binder_state *bs)return ioctl(bs-fd, BINDER_SET_CONTEXT_MGR, 0);3. ioctl 的实现函数 binder_ioctl:3.1 在驱动中(kernelincludelinuxBinder.c)可以找到 ioctl 的实现函数 binder_ioct 也就是，调用ioctl就是调用binder_ioctl，从而进入内核.static lon

43、g binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)int ret;struct binder_proc *proc = filp-private_data; structbinder_thread *thread;unsigned int size = _IOC_SIZE(cmd); void _user *ubuf = (void _user *)arg;/*printk(KERN_INFO binder_ioctl: %d:%d %x %lxn, proc-pid, current-pid, cmd,

44、 arg);*/ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error pid, thread-pid, bwr.write_size, bwr.write_buffer, bwr.read_size, bwr.read_buffer);if (bwr.write_size 0) ret = binder_thread_write(proc, thread, (void _user *)bwr.write_buffer, bwr.write_size, &bwr.write_consume

45、d);if (ret 0) ret = binder_thread_read(proc, thread, (void _user *)bwr.read_buffer, bwr.read_size, &bwr.read_consumed, filp-f_flags & O_NONBLOCK);if (!list_empty(&proc-todo) wake_up_interruptible(&proc-wait);if (ret pid, thread-pid, bwr.write_consumed, bwr.write_size, bwr.read_consumed, bwr.read_siz

46、e);if (copy_to_user(ubuf, &bwr, sizeof(bwr) ret = -EFAULT;goto err;break;case BINDER_SET_MAX_THREADS:if (copy_from_user(&proc-max_threads, ubuf, sizeof(proc-max_threads) ret = -EINVAL;goto err;break;case BINDER_SET_CONTEXT_MGR :if (binder_context_mgr_node != NULL) printk(KERN_ERR binder: BINDER_SET_

47、CONTEXT_MGR already setn); ret = -EBUSY;goto err;if (binder_context_mgr_uid != -1) if (binder_context_mgr_uid != current-euid) printk(KERN_ERR binder: BINDER_SET_ CONTEXT_MGR bad uid %d != %dn, current-euid, binder_context_mgr_uid);ret = -EPERM;goto err; elsebinder_context_mgr_uid = current-euid; bi

48、nder_context_mgr_node = binder_new_node(proc, NULL, NULL); if (binder_context_mgr_node = NULL) ret = -ENOMEM;goto err;binder_context_mgr_node-local_weak_refs+; binder_context_mgr_node-local_strong_refs+; binder_context_mgr_node-has_strong_ref = 1; binder_context_mgr_node-has_weak_ref = 1; break;case

49、 BINDER_THREAD_EXIT:if (binder_debug_mask & BINDER_DEBUG_THREADS)printk(KERN_INFO binder: %d:%d exitn, proc-pid, thread-pid); binder_free_thread(proc, thread); thread = NULL;break;case BINDER_VERSION:if (size != sizeof(struct binder_version) ret = -EINVAL;goto err;if (put_user(BINDER_CURRENT_PROTOCO

50、L_VERSION, &(struct binder_version *)ubuf)-protocol_version) ret = -EINVAL;goto err; break;default:ret = -EINVAL; goto err;ret = 0;err:if (thread)thread-looper &= BINDER_LOOPER_STATE_NEED_RETURN; mutex_unlock(&binder_lock);wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error pi

51、d, current-pid, cmd, arg, ret);return ret;Data structure of kerneldriversandroidBinder.c define/实现双向链表/线程队列，双向链表/进程 IDstruct binder_procstruct hlist_node proc_node; struct rb_root threads;struct rb_root nodes;struct rb_root refs_by_desc; struct rb_root refs_by_node; int pid;struct vm_area_struct *vm

52、a; struct task_struct *tsk;void *buffer;size_t user_buffer_offset;struct list_head buffers; struct rb_root free_buffers;struct rb_root allocated_buffers; size_t free_async_space;struct page *pages; size_t buffer_size; uint32_t buffer_free;struct list_head todo; wait_queue_head_t wait;struct binder_s

53、tats stats; struct list_head delivered_death; int max_threads;int requested_threads;int requested_threads_started;int ready_threads; long default_priority;struct binder_threadstruct binder_proc *proc;struct rb_node rb_node;int pid;int looper;struct binder_transaction *transaction_stack;struct list_h

54、ead todo;/所属进程/线程 pid/线程状态信息/定义了要接收和要发送的进程线程信息uint32_t return_error; /* Write failed, return error code in read buf */uint32_t return_error2; /* Write failed, return error code in read */* buffer. Used when sending a reply to a dead process that */* we are also waiting on */wait_queue_head_t wait;st

55、ruct binder_stats stats;从binder_proc可以得到当前线程的信息，因为所有的线程信息都是存在struct rb_root threads;这个队列中，通 过thread = binder_get_thread(proc);就可以找到当前的线程信息，具体做法是通过在队列中比较各个线程的pid 和当前线程 pid 是否相同，如果找到了，那么把它的线程信息返回，如果没找到，那么新建一个线程，并把 它加入到队列中，并初始化就绪线程队列等。返回的线程信息存放在一个binder_thread结构中.执行 ret = wait_event_interruptible(binde

56、r_user_error_wait, binder_stop_on_user_error 2);将调用ioctl的进程挂起，直到binder返回。接下来来到switch(cmd)语句，在这里是binder对于接收的命令的 响应，可以找到 case BINDER_SET_CONTEXT_MGR 这一项，这里主要做的事情是设置驱动中的全局变量 binder_context_mgr_uid 为当前进程的 uid，并初始化一个binder_node赋值给全局变量binder_context_mgr_node。至此完成了注册Service Manager的工作。4. binder_loop接下来程序将进

57、入binder_loop，这是Service Manager程序的主体，在这里进入循环，开启监听，响应其他程 序的请求。它的实现为:void binder_loop(struct binder_state *bs, binder_handler func).3.4Main_runtimer.cppChart:ProcessState()二run(proc)ProcessState:self()setContextObject(NULL)j、.setContextObject(object, String16(default)Set up ANDROID_* env(ANDROlD_R00T,ANDR0ID_DATA)boot_init()sp proc(ProcessState:self()proc-becomeContextManager(contextChecker, NULL);proc-supportsProces