Android Runtime（一）

1.Android 架构

---

Android上层是java，framework是java，native是c++，驱动是c 。连接起来的是jni，虚拟机

如借用的图所示，Android Runtime连接了framework和lib，包括两部分：core lib和虚拟机（5.1开始art完全取代dv）

---

2.Android 进程关系

android启动是从init.c开始的，而且init是android的第一个进程，zygot也是其fork的

USER      PID   PPID  VSIZE  RSS   WCHAN              PC  NAME
root      1     0     17112  1304  SyS_epoll_ 0000000000 S /init
root      2     0     0      0       kthreadd 0000000000 S kthreadd
root      3     2     0      0     smpboot_th 0000000000 S ksoftirqd/0
root      5     2     0      0     worker_thr 0000000000 S kworker/0:0H
root      6     2     0      0     diag_socke 0000000000 S kworker/u16:0

root      512   1     6564   388   SyS_epoll_ 0000000000 S /sbin/healthd
root      513   1     18084  1164  binder_thr 0000000000 S /system/bin/performanceadjustor
nobody    516   1     16860  984   poll_sched 0000000000 S /system/bin/rmt_storage
root      517   2     0      0     worker_thr 0000000000 S kworker/7:1H
rfs       518   1     11260  804   poll_sched 0000000000 S /system/bin/tftp_server

这是坚果的，kthreadd应该就是zygote，坚果给重命名了。bin sbin system/bin是init进程fork出来的，PPID是1，其他都是zygote进程fork出来的，PPID是2。

---

3.Android 启动

1.init进程作为linux启动过程中的一个重要的进程，它主要负责文件系统的挂载，属性的初始化，各种配置的加载启动以及Action触发，Service的启动，而Zygote作为Java环境下的服务进程，也在Init.rc中进行了配置，而init进程是由main函数进行触发的

/system/core/init/init.c

int main(int argc, char **argv)
{
...
    if (!strcmp(basename(argv[0]), "ueventd"))
        return ueventd_main(argc, argv);//uevent 

    if (!strcmp(basename(argv[0]), "watchdogd"))
        return watchdogd_main(argc, argv);

    /* clear the umask */
    umask(0);

        /* Get the basic filesystem setup we need put
         * together in the initramdisk on / and then we'll
         * let the rc file figure out the rest.
         */
    mkdir("/dev", 0755);    //挂在文件系统
    mkdir("/proc", 0755);
    mkdir("/sys", 0755);

    mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755");
    mkdir("/dev/pts", 0755);
    mkdir("/dev/socket", 0755);
    mount("devpts", "/dev/pts", "devpts", 0, NULL);
    mount("proc", "/proc", "proc", 0, NULL);
    mount("sysfs", "/sys", "sysfs", 0, NULL);

        /* indicate that booting is in progress to background fw loaders, etc */
    close(open("/dev/.booting", O_WRONLY | O_CREAT, 0000));

        /* We must have some place other than / to create the
         * device nodes for kmsg and null, otherwise we won't
         * be able to remount / read-only later on.
         * Now that tmpfs is mounted on /dev, we can actually
         * talk to the outside world.
         */
    open_devnull_stdio();
    klog_init();  //klog 初始化
    property_init();//property 初始化

    get_hardware_name(hardware, &revision);

    process_kernel_cmdline();//执行kernel命令

#ifdef HAVE_SELINUX
    union selinux_callback cb;
    cb.func_log = klog_write;
    selinux_set_callback(SELINUX_CB_LOG, cb);

    cb.func_audit = audit_callback;
    selinux_set_callback(SELINUX_CB_AUDIT, cb);

    INFO("loading selinux policy\n");
    if (selinux_enabled) {
        if (selinux_android_load_policy() < 0) {//加载selinux policy
            selinux_enabled = 0;
            INFO("SELinux: Disabled due to failed policy load\n");
        } else {
            selinux_init_all_handles();//se 初始化
        }
    } else {
        INFO("SELinux:  Disabled by command line option\n");
    }
    /* These directories were necessarily created before initial policy load
     * and therefore need their security context restored to the proper value.
     * This must happen before /dev is populated by ueventd.
     */
    restorecon("/dev");
    restorecon("/dev/socket");
#endif

    is_charger = !strcmp(bootmode, "charger");

    INFO("property init\n");
    if (!is_charger)
        property_load_boot_defaults(); //加载prop

    INFO("reading config file\n");
    init_parse_config_file("/init.rc");//解析init.rc里面有zygote信息，各种service信息
...
}

2.init.rc 起zygote。在手机目录能看到system/bin/app_process，--zygote --start-system-server是参数，在后续是决定是zygote还是非zygote模式的参数

/system/core/rootdir/init.rc

service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
    class main
    socket zygote stream 660 root system
    onrestart write /sys/android_power/request_state wake
    onrestart write /sys/power/state on
    onrestart restart media
    onrestart restart netd

3.进入app_main.cpp的main函数

frameworks/base/cmds/app_process/app_main.cpp

int main(int argc, char* const argv[])
{
    if (!LOG_NDEBUG) {
...
      ALOGV("app_process main with argv: %s", argv_String.string());//log佐证起了app_process
    }

    AppRuntime runtime(argv[0], computeArgBlockSize(argc, argv));
    // Process command line arguments
    // ignore argv[0]
    argc--;
    argv++;
    //这段注释解释的还是比较清楚，由传入的参数决定是zygote还是非zygote模式
    // Everything up to '--' or first non '-' arg goes to the vm.
    //
    // The first argument after the VM args is the "parent dir", which
    // is currently unused.
    //
    // After the parent dir, we expect one or more the following internal
    // arguments :
    //
    // --zygote : Start in zygote mode
    // --start-system-server : Start the system server.
    // --application : Start in application (stand alone, non zygote) mode.
    // --nice-name : The nice name for this process.
    //
    // For non zygote starts, these arguments will be followed by
    // the main class name. All remaining arguments are passed to
    // the main method of this class.
    //
    // For zygote starts, all remaining arguments are passed to the zygote.
    // main function.
    //
    // Note that we must copy argument string values since we will rewrite the
    // entire argument block when we apply the nice name to argv0.
    //
    // As an exception to the above rule, anything in "spaced commands"
    // goes to the vm even though it has a space in it.
    const char* spaced_commands[] = { "-cp", "-classpath" };
    // Allow "spaced commands" to be succeeded by exactly 1 argument (regardless of -s).
...
    while (i < argc) {//不同参数的赋值，决定后续调用方向
        const char* arg = argv[i++];
        if (strcmp(arg, "--zygote") == 0) {
            zygote = true;
            niceName = ZYGOTE_NICE_NAME;
        } else if (strcmp(arg, "--start-system-server") == 0) {
            startSystemServer = true;
        } else if (strcmp(arg, "--application") == 0) {
            application = true;
        } else if (strncmp(arg, "--nice-name=", 12) == 0) {
            niceName.setTo(arg + 12);
        } else if (strncmp(arg, "--", 2) != 0) {
            className.setTo(arg);
            break;
        } else {
            --i;
            break;
        }
    }
...

    if (zygote) {
        runtime.start("com.android.internal.os.ZygoteInit", args, zygote);
    } else if (className) {
        runtime.start("com.android.internal.os.RuntimeInit", args, zygote);
    } else {
        fprintf(stderr, "Error: no class name or --zygote supplied.\n");
        app_usage();
        LOG_ALWAYS_FATAL("app_process: no class name or --zygote supplied.");
    }
}

传了不同的参数ZygoteInit和RuntimeInit 

4. 进入AndroidRuntime.cpp的start函数

frameworks/base/core/jni/AndroidRuntime.cpp

void AndroidRuntime::start(const char* className, const char* options)
{
...
837    /* start the virtual machine */
    JNIEnv* env;
    if (startVm(&mJavaVM, &env) != 0) {//启动虚拟机
        return;
    }
    onVmCreated(env);//释放资源，跟进去看就知道

    /*
     * Register android functions.
     */
    if (startReg(env) < 0) {
848        ALOGE("Unable to register all android natives\n");
849        return;
850    }
851
852    /*
853     * We want to call main() with a String array with arguments in it.
854     * At present we have two arguments, the class name and an option string.
855     * Create an array to hold them.
856     *///注释暴露了目标调用class 的main函数
857    jclass stringClass;
858    jobjectArray strArray;
859    jstring classNameStr;
860    jstring optionsStr;
861
862    stringClass = env->FindClass("java/lang/String");
863    assert(stringClass != NULL);
864    strArray = env->NewObjectArray(2, stringClass, NULL);
865    assert(strArray != NULL);
866    classNameStr = env->NewStringUTF(className);
867    assert(classNameStr != NULL);
868    env->SetObjectArrayElement(strArray, 0, classNameStr);
869    optionsStr = env->NewStringUTF(options);
870    env->SetObjectArrayElement(strArray, 1, optionsStr);
871
872    /*
873     * Start VM.  This thread becomes the main thread of the VM, and will
874     * not return until the VM exits.
875     */
876    char* slashClassName = toSlashClassName(className);
877    jclass startClass = env->FindClass(slashClassName);
878    if (startClass == NULL) {
879        ALOGE("JavaVM unable to locate class '%s'\n", slashClassName);
880        /* keep going */
881    } else {
882        jmethodID startMeth = env->GetStaticMethodID(startClass, "main",
883            "([Ljava/lang/String;)V");//获取main函数
884        if (startMeth == NULL) {
885            ALOGE("JavaVM unable to find main() in '%s'\n", className);
886            /* keep going */
887        } else {
888            env->CallStaticVoidMethod(startClass, startMeth, strArray);//调用main函数
889
890#if 0
891            if (env->ExceptionCheck())
892                threadExitUncaughtException(env);
893#endif
894        }
895    }
896    free(slashClassName);
897
898    ALOGD("Shutting down VM\n");
899    if (mJavaVM->DetachCurrentThread() != JNI_OK)
900        ALOGW("Warning: unable to detach main thread\n");
901    if (mJavaVM->DestroyJavaVM() != 0)
902        ALOGW("Warning: VM did not shut down cleanly\n");
903}

这里进入了不同的调用流程，Zygote和非Zygote模式，后面再分析

先看下startVm

int AndroidRuntime::startVm(JavaVM** pJavaVM, JNIEnv** pEnv)
444{
...
 //获取vm的各种属性
    property_get("dalvik.vm.execution-mode", propBuf, "");
    if (strcmp(propBuf, "int:portable") == 0) {
        executionMode = kEMIntPortable;
    } else if (strcmp(propBuf, "int:fast") == 0) {
...
    /*
     * Initialize the VM.
     *
     * The JavaVM* is essentially per-process, and the JNIEnv* is per-thread.
     * If this call succeeds, the VM is ready, and we can start issuing
     * JNI calls.
     */
    if (JNI_CreateJavaVM(pJavaVM, pEnv, &initArgs) < 0) {
        ALOGE("JNI_CreateJavaVM failed\n");
        goto bail;
    }

    result = 0;

bail:
    free(stackTraceFile);
    return result;
}

进入JNI_CreateJavaVM ，追踪得到是在libart.so里面

继续跟踪下一个startReg

/*static*/ int AndroidRuntime::startReg(JNIEnv* env)
{
    /*
     * This hook causes all future threads created in this process to be
     * attached to the JavaVM.  (This needs to go away in favor of JNI
     * Attach calls.)
     */
    androidSetCreateThreadFunc((android_create_thread_fn) javaCreateThreadEtc);

    ALOGV("--- registering native functions ---\n");

    /*
     * Every "register" function calls one or more things that return
     * a local reference (e.g. FindClass).  Because we haven't really
     * started the VM yet, they're all getting stored in the base frame
     * and never released.  Use Push/Pop to manage the storage.
     */
    env->PushLocalFrame(200);

    if (register_jni_procs(gRegJNI, NELEM(gRegJNI), env) < 0) {
        env->PopLocalFrame(NULL);
        return -1;
    }
    env->PopLocalFrame(NULL);

    //createJavaThread("fubar", quickTest, (void*) "hello");

    return 0;
}

进入register_jni_procs，可以看到是各种jni注册