startService源码主要流程解析

226 阅读6分钟

本文基于的是Android 8.0源码。

1、Activity中调用startService

我们启动service的时候都是直接在Activity里面调用startService方法,这里实际上调用的是ContextImpl#startService方法。

我们知道,Activity继承自ContextThemeWrappe,ContextThemeWrapper又继承自ContextWrapper,ContextWrapper只是Context的静态代理,Context的实现类就是ContextImpl。在创建Activity之后,系统会调用Activity#attach方法,将创建好的ContextImpl实例对象设置给Activity,所以在Activity中调用的Context对象的方法基本上都会走ContextImpl中的实现。

2、ContextImpl#startService

ContextImpl#startService 
--> ContextImpl#startServiceCommon
--> ActivityManagerService#startService(通过AMS的Binder对象调用)

3、ActivityManagerService#startService

我们接着看ActivityManagerService#startService方法,

ActivityManagerService#startService
--> ActiveService#startServiceLocked(根据当前服务对象生成一个ServiceRecord.StartItem对象,添加进pendingStarts中,用于后面的onStartCommand方法调用)
--> ActiveService#startServiceInnerLocked
--> ActiveService#bringUpServiceLocked

这里的ActiveService#bringUpServiceLocked方法是核心,我们看下关键代码:

这里我们把代码分为四部分,注释中说明了核心逻辑。

private String bringUpServiceLocked(ServiceRecord r, ...){
    
    // 1
    // 如果条件满足,说明服务也已经启动过,因此服务对应的进程已经启动,该进程对应的ActivityThread也已经准备好,接下来直接通知应用进程调用service的onStartCommand方法即可。
    if (r.app != null && r.app.thread != null) {
        sendServiceArgsLocked(r, execInFg, false);
        return null;
    }

    // 2
    // 走到这里说明服务没有启动过,我们先查看服务所在的进程是否已经启动
    // 如果进程已经启动,并且ActivityThread也已经准备好,则启动服务。
    ProcessRecord app = mAm.getProcessRecordLocked(procName,...);
    if (app != null && app.thread != null) {
       realStartServiceLocked(r, app, execInFg);
    }

    // 3
    // 如果服务所在的进程没启动,则启动进程
    if (app == null) {
        app=mAm.startProcessLocked(procName,...)
    }

    // 4 将服务添加进mPendingServices列表中,等待应用启动之后再启动服务
    if (!mPendingServices.contains(r)) {
        mPendingServices.add(r);
    }
    
    return null;
}

上面的流程可以用下面这个图概括:

接下来我们讲细节,如何启动进程,以及进程启动后如何启动服务

4、启动进程,执行mPendingServices中的服务

Zygote启动进程

ActiveService#bringUpServiceLocked方法中,启动进程的代码如下:

app=mAm.startProcessLocked(procName,...)

接着往下看:

ActivityManagerService#startProcessLocked
--> ActivityManagerService#startProcessLocked(重载方法)
--> ActivityManagerService#startProcessLocked(重载方法)
--> Process.start
--> ZygoteProcess.start
--> ZygoteProcess.startViaZygote

我们看下ZygoteProcess.startViaZygote方法,代码如下:

private Process.ProcessStartResult startViaZygote(final String processClass,...){
    ArrayList<String> argsForZygote = new ArrayList<String>();
    ...
    return zygoteSendArgsAndGetResult(openZygoteSocketIfNeeded(abi), argsForZygote);
}

zygoteSendArgsAndGetResult方法的主要作用就是将传入的应用进程的启动参数argsForZygote写入ZygoteState中,ZygoteState是ZygoteProcess的静态内部类,用于表示与Zygote进程通信的状态。

再看下openZygoteSocketIfNeeded方法,该方法内部会调用ZygoteState.connect(mSocket)方法,与Zygote进程建立Socket连接。

Zygote进程的Socket——接收创建进程的消息,fork创建子进程

我们接下来看下Zygote进程里面启动的Socket,我们先看ZygoteInit#main函数: 这里我们只看跟Socket相关的

public static void main(String argv[]) {
    ZygoteServer zygoteServer = new ZygoteServer();
    String socketName = "zygote";
    
    // 启动名称为zygote的Socket
    zygoteServer.registerServerSocket(socketName);

    // 开启while循环,接收Socket消息并处理
    zygoteServer.runSelectLoop(abiList);

    zygoteServer.closeServerSocket();
}

Socket接收消息的逻辑在ZygoteServer.runSelectLoop方法中,接收到消息后会调用ZygoteConnection#runOnce方法,我们还是看关键代码:

boolean runOnce(ZygoteServer zygoteServer) throws Zygote.MethodAndArgsCaller {
    Arguments parsedArgs = null;
    
    pid = Zygote.forkAndSpecialize(parsedArgs.uid,...);
   
    if (pid == 0) {
        // in child
        handleChildProc(parsedArgs, descriptors, childPipeFd, newStderr);
        return true;
    } else {
       ...
    }
}

先调用Zygote#forkAndSpecialize方法启动进程,fork方法会返回两次,pid为0表示是我们关心的子进程,然后调用Zygote#handleChildProc方法进行处理,Zygote#handleChildProc方法里面会调用ZygoteInit.zygoteInit方法,它的关键代码如下:

public static final void zygoteInit(int targetSdkVersion,...){
    RuntimeInit.commonInit();
    // 给应用进程创建Binder线程池
    ZygoteInit.nativeZygoteInit();
    // 调用进程的ActivityThread#main方法
    RuntimeInit.applicationInit(targetSdkVersion, argv, classLoader);
}

RuntimeInit#applicationInit方法会调用RuntimeInit#invokeStaticMain方法,具体代码如下:

/**
 * Invokes a static "main(argv[]) method on class "className".
 * Converts various failing exceptions into RuntimeExceptions, with
 * the assumption that they will then cause the VM instance to exit.
 *
 * @param className Fully-qualified class name
 * @param argv Argument vector for main()
 * @param classLoader the classLoader to load {@className} with
 */
private static void invokeStaticMain(String className, String[] argv, ClassLoader classLoader)
        throws Zygote.MethodAndArgsCaller {
    Class<?> cl;

    try {
        cl = Class.forName(className, true, classLoader);
    } catch (ClassNotFoundException ex) {
        throw new RuntimeException(
                "Missing class when invoking static main " + className,
                ex);
    }

    Method m;
    try {
        m = cl.getMethod("main", new Class[] { String[].class });
    } catch (NoSuchMethodException ex) {
        throw new RuntimeException(
                "Missing static main on " + className, ex);
    } catch (SecurityException ex) {
        throw new RuntimeException(
                "Problem getting static main on " + className, ex);
    }

    int modifiers = m.getModifiers();
    if (! (Modifier.isStatic(modifiers) && Modifier.isPublic(modifiers))) {
        throw new RuntimeException(
                "Main method is not public and static on " + className);
    }

    /*
     * This throw gets caught in ZygoteInit.main(), which responds
     * by invoking the exception's run() method. This arrangement
     * clears up all the stack frames that were required in setting
     * up the process.
     */
    throw new Zygote.MethodAndArgsCaller(m, argv);
}

RuntimeInit#invokeStaticMain方法的作用很清晰,就是调用其入参className的main(argv[])方法,这里的className的值就是android.app.ActivityThread

ActivityThread#main——通知AMS进程创建完成,初始化Application,

Zygote在启动我们的应用进程后,会调用进程的入口函数android.app.ActivityThread#main。接下来我们看下ActivityThread#main是如何启动服务的。

ActivityThread#main
--> ActivityThread#attach
--> ActivityManagerService#attachApplication(mAppThread) 

ActivityManagerService#attachApplication方法会将应用进程的ActivityThread的Binder对象上报给AMS,这样AMS和应用进程就可以开始双向调用了。接着往下看:

ActivityManagerService#attachApplication(mAppThread)
--> ActivityThread#bindApplication(通过Binder调用ActivityThread的方法)
--> ActivityThread#handleBindApplication(通过Handler切换到主线程)
初始化Application实例

ActivityThread#handleBindApplication方法中,通过调用LoadedApk#makeApplication来创建Application对象,并调用其生命周期方法,LoadedApk#makeApplication的核心代码如下:

public Application makeApplication(...) {
    ContextImpl appContext = ContextImpl.createAppContext(mActivityThread, this);
    app = mActivityThread.mInstrumentation.newApplication(...);
    appContext.setOuterContext(app);

    // 调用Application#onCreate方法
    instrumentation.callApplicationOnCreate(app);

    return app;
}

创建Application对象的具体流程如下:

LoadedApk#makeApplication
--> Instrumentation#newApplication
--> Instrumentation#newApplication(重载方法)  初始化Application实例
--> Application#attach
--> Application#attachBaseContext 

至此我们的应用进程和Application均初始化完毕,我们看下如何在进程启动后启动之前放置在mPendingServices中的服务的。

ActivityManagerService#attachApplicationLocked——进程启动后启动服务

前面说过,进程启动以后,ActivityThread会向AMS上报,会调用到ActivityManagerService#attachApplicationLocked方法,还是老规矩,我们只看相关的核心内容:

private final boolean attachApplicationLocked(IApplicationThread thread,...) {
    // 调用应用端的ActivityThread#bindApplication方法,完成Application初始化
    thread.bindApplication(processName, ...);

    // Find any services that should be running in this process...
    // 调用ActiveServices#attachApplicationLocked方法,执行mPendingServices中的服务
    didSomething |= mServices.attachApplicationLocked(app, processName);
}

ActiveServices#attachApplicationLocked方法中,会遍历mPendingServices,对每个service都执行ActiveServices#realStartServiceLocked方法,具体代码如下:

boolean attachApplicationLocked(ProcessRecord proc, String processName){
    if (mPendingServices.size() > 0) {
        ServiceRecord sr = null;
        for (int i=0; i<mPendingServices.size(); i++) {
            sr = mPendingServices.get(i);
            mPendingServices.remove(i);
            i--;
            realStartServiceLocked(sr, proc, sr.createdFromFg);
        }
    }
}

ActiveServices#realStartServiceLocked方法中,会通过Binder调用ActivityThread#scheduleCreateService方法,告诉应用启动Service;接着还会调用ActiveServices#sendServiceArgsLocked方法,通过Binder调用ActivityThread#scheduleServiceArgs方法,最终调用Service#onStartCommand方法,下面看下细节。

启动服务——ActivityThread#scheduleCreateService

调用链如下:

ActivityThread#scheduleCreateService
--> 发送`H.CREATE_SERVICE`消息给主线程
--> ActivityThread#handleCreateService

ActivityThread#handleCreateService方法里面会初始化Service类,调用其onCreate方法。核心代码如下:

private void handleCreateService(CreateServiceData data) {
    // 初始化Service对象
    java.lang.ClassLoader cl = packageInfo.getClassLoader();
    Service service = (Service) cl.loadClass(data.info.name).newInstance();

    ContextImpl context = ContextImpl.createAppContext(this, packageInfo);
    context.setOuterContext(service);
    // 获取对应的Application对象
    Application app = packageInfo.makeApplication(false, ...);
    // 调用Service#onCreate()方法
    service.onCreate();
}
调用服务的onStartCommand——ActivityThread#scheduleServiceArgs

调用链如下:

ActivityThread#scheduleServiceArgs
--> 发送`H.SERVICE_ARGS`消息给主线程
--> ActivityThread#handleServiceArgs
--> Service#onStartCommand

至此第一次启动应用 + 启动服务的总体过程完成。

流程总结

至此,一次完整的startService过程的关键步骤分析完毕。