Android Frameworks源码分析之Zygote进程的启动

在Android系统里，所有的应用程序进程都是从Zygote进程fork出来的。Zygote是由init进程启动的。并且在Zygote里有一个虚拟机的实例。在Zygote启动的时候，会创建一个Socket，等待连接。

在前面组件启动的过程分析中，我们知道，如果发现加载组件的进程不存在时，会调用Process的start函数来创建一个新进程。这是通过和Zygote进程的Socket建立连接来完成的，Zygote通过复制自己的方式来生成一个新进程，因此在新进程中就会自动包含一个虚拟机实例。

在这篇文章里，我们就来看一下Zygote进程的启动过程。

和这部分相关的代码如下所示：

init.rc 位于 system/core/rootdir/init.rc

app_main.cpp 位于frameworks/base/cmds/app_process/app_main.cpp

AndroidRuntime.h 位于frameworks/base/include/android_runtime/AndroidRuntime.h

AndroidRuntime.cpp 位于frameworks/base/core/jin/AndroidRuntime.cpp 

ZygoteInit.java 位于 frameworks/base/core/java/com/android/internal/os/ZygoteInit.java

LocalServerSocket.java 位于 frameworks/base/core/java/android/net/LocalServerSocket.java

LocalSocketImpl.java 位于 frameworks/base/core/java/android/net/LocalSocketImpl.java

ZygoteConnection.java 位于frameworks/base/core/java/com/android/internal/os/ZygoteConnection.java

在Linux系统中，init进程是系统的第一个进程，所有的进程都是由init进程fork出来的。Zygote也不例外。init会扫描inic.rc脚本，从而将里面的进程启动起来。和Zygote相关的是下面这部门代码：

service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
    class main
    socket zygote stream 660 root system
    onrestart write /sys/android_power/request_state wake
    onrestart write /sys/power/state on
    onrestart restart media
    onrestart restart netd

在Android系统中，Zygote是作为服务运行的，并且程序位于/system/bin下的app_process, 而参数--start-system-server表明在Zygote启动的时候要要将SystemServer一并启动起来。而下面的语句表明 Zygote进程需要启动一个名为"zygote"的socket。

了解了以上的知识之后，我们知道Zygote的启动程序是位于/system/bin/下的app_process, 这个程序的源码是app_main.cpp文件，入口是main函数。因此我们就从app_main.cpp文件的main函数开始分析：

int main(int argc, const char* const argv[])
{
    // These are global variables in ProcessState.cpp
    mArgC = argc;
    mArgV = argv;

    mArgLen = 0;
    for (int i=0; i<argc; i++) {
        mArgLen += strlen(argv[i]) + 1;
    }
    mArgLen--;
	
	//构造一个AppRuntime对象
    AppRuntime runtime;
    const char* argv0 = argv[0];

    // Process command line arguments
    // ignore argv[0]
    argc--;
    argv++;

    // Everything up to '--' or first non '-' arg goes to the vm

    int i = runtime.addVmArguments(argc, argv);

    // Parse runtime arguments.  Stop at first unrecognized option.
    bool zygote = false;
    bool startSystemServer = false;
    bool application = false;
    const char* parentDir = NULL;
    const char* niceName = NULL;
    const char* className = NULL;
    while (i < argc) {
        const char* arg = argv[i++];
        if (!parentDir) {
            parentDir = arg;
        } else if (strcmp(arg, "--zygote") == 0) {
            zygote = true;
            niceName = "zygote";
        } else if (strcmp(arg, "--start-system-server") == 0) {
            startSystemServer = true;
        } else if (strcmp(arg, "--application") == 0) {
            application = true;
        } else if (strncmp(arg, "--nice-name=", 12) == 0) {
            niceName = arg + 12;
        } else {
            className = arg;
            break;
        }
    }

    if (niceName && *niceName) {
        setArgv0(argv0, niceName);
        set_process_name(niceName);
    }

    runtime.mParentDir = parentDir;

    if (zygote) {
		//启动进程
        runtime.start("com.android.internal.os.ZygoteInit",
                startSystemServer ? "start-system-server" : "");
    } else if (className) {
        // Remainder of args get passed to startup class main()
        runtime.mClassName = className;
        runtime.mArgC = argc - i;
        runtime.mArgV = argv + i;
        runtime.start("com.android.internal.os.RuntimeInit",
                application ? "application" : "tool");
    } else {
        fprintf(stderr, "Error: no class name or --zygote supplied.\n");
        app_usage();
        LOG_ALWAYS_FATAL("app_process: no class name or --zygote supplied.");
        return 10;
    }
}

在main函数中，会首先构造一个AppRuntime对象, 表示要启动的进程参数。

AppRuntime是在app_main.cpp文件中定义的：

class AppRuntime : public AndroidRuntime

继承自AndroidRuntime，AndroidRuntime定义在AndroidRuntime.cpp，我们来看一下AndroidRuntime的start函数的实现：

void AndroidRuntime::start(const char* className, const char* options)
{
    ALOGD("\n>>>>>> AndroidRuntime START %s <<<<<<\n",
            className != NULL ? className : "(unknown)");

    blockSigpipe();

    /*
     * 'startSystemServer == true' means runtime is obsolete and not run from
     * init.rc anymore, so we print out the boot start event here.
     */
    if (strcmp(options, "start-system-server") == 0) {
        /* track our progress through the boot sequence */
        const int LOG_BOOT_PROGRESS_START = 3000;
        LOG_EVENT_LONG(LOG_BOOT_PROGRESS_START,
                       ns2ms(systemTime(SYSTEM_TIME_MONOTONIC)));
    }

    const char* rootDir = getenv("ANDROID_ROOT");
    if (rootDir == NULL) {
        rootDir = "/system";
        if (!hasDir("/system")) {
            LOG_FATAL("No root directory specified, and /android does not exist.");
            return;
        }
        setenv("ANDROID_ROOT", rootDir, 1);
    }

    //const char* kernelHack = getenv("LD_ASSUME_KERNEL");
    //ALOGD("Found LD_ASSUME_KERNEL='%s'\n", kernelHack);

    //启动虚拟机
    JNIEnv* env;
    if (startVm(&mJavaVM, &env) != 0) {
        return;
    }
    onVmCreated(env);

	//注册JNI方法
    if (startReg(env) < 0) {
        ALOGE("Unable to register all android natives\n");
        return;
    }

    /*
     * We want to call main() with a String array with arguments in it.
     * At present we have two arguments, the class name and an option string.
     * Create an array to hold them.
     */
    jclass stringClass;
    jobjectArray strArray;
    jstring classNameStr;
    jstring optionsStr;

    stringClass = env->FindClass("java/lang/String");
    assert(stringClass != NULL);
    strArray = env->NewObjectArray(2, stringClass, NULL);
    assert(strArray != NULL);
    classNameStr = env->NewStringUTF(className);
    assert(classNameStr != NULL);
    env->SetObjectArrayElement(strArray, 0, classNameStr);
    optionsStr = env->NewStringUTF(options);
    env->SetObjectArrayElement(strArray, 1, optionsStr);

    /*
     * Start VM.  This thread becomes the main thread of the VM, and will
     * not return until the VM exits.
     */
    char* slashClassName = toSlashClassName(className);
    jclass startClass = env->FindClass(slashClassName);
    if (startClass == NULL) {
        ALOGE("JavaVM unable to locate class '%s'\n", slashClassName);
        /* keep going */
    } else {
        jmethodID startMeth = env->GetStaticMethodID(startClass, "main",
            "([Ljava/lang/String;)V");
        if (startMeth == NULL) {
            ALOGE("JavaVM unable to find main() in '%s'\n", className);
            /* keep going */
        } else {
			//调用“com.android.internal.os.ZygoteInit”的main方法
            env->CallStaticVoidMethod(startClass, startMeth, strArray);

#if 0
            if (env->ExceptionCheck())
                threadExitUncaughtException(env);
#endif
        }
    }
    free(slashClassName);

    ALOGD("Shutting down VM\n");
    if (mJavaVM->DetachCurrentThread() != JNI_OK)
        ALOGW("Warning: unable to detach main thread\n");
    if (mJavaVM->DestroyJavaVM() != 0)
        ALOGW("Warning: VM did not shut down cleanly\n");
}

在AndroidRuntime的start函数中，会调用startVm来启动一个虚机器实例。在start函数的最后，会调用CallStaticVoidMethod来调用com.android.internal.os.ZygoteInit的main方法。com.android.internal.os.ZygoteInit的main方法定义如下：

    public static void main(String argv[]) {
        try {
            // Start profiling the zygote initialization.
            SamplingProfilerIntegration.start();
			//注册Socket
            registerZygoteSocket();
            EventLog.writeEvent(LOG_BOOT_PROGRESS_PRELOAD_START,
                SystemClock.uptimeMillis());
            preload();
            EventLog.writeEvent(LOG_BOOT_PROGRESS_PRELOAD_END,
                SystemClock.uptimeMillis());

            // Finish profiling the zygote initialization.
            SamplingProfilerIntegration.writeZygoteSnapshot();

            // Do an initial gc to clean up after startup
            gc();

            // If requested, start system server directly from Zygote
            if (argv.length != 2) {
                throw new RuntimeException(argv[0] + USAGE_STRING);
            }
			
			//如果需要启动启动SystemServer,则启动SystemServer进程
            if (argv[1].equals("start-system-server")) {
                startSystemServer();
            } else if (!argv[1].equals("")) {
                throw new RuntimeException(argv[0] + USAGE_STRING);
            }

            Log.i(TAG, "Accepting command socket connections");

			//启动Socket，等待连接
            if (ZYGOTE_FORK_MODE) {
                runForkMode();
            } else {
                runSelectLoopMode();
            }

            closeServerSocket();
        } catch (MethodAndArgsCaller caller) {
            caller.run();
        } catch (RuntimeException ex) {
            Log.e(TAG, "Zygote died with exception", ex);
            closeServerSocket();
            throw ex;
        }
    }

在ZygoteInit的main函数中，首先会调用registerZygoteSocket来执行注册Socket的操作，我们首先来看一看registerZygoteSocket函数的实现：

private static final String ANDROID_SOCKET_ENV = "ANDROID_SOCKET_zygote";
	private static LocalServerSocket sServerSocket;
    private static void registerZygoteSocket() {
        if (sServerSocket == null) {
            int fileDesc;
            try {
				//得到init进程加载init.rc脚本时候，写入到环境变量中的值
                String env = System.getenv(ANDROID_SOCKET_ENV);
                fileDesc = Integer.parseInt(env);
            } catch (RuntimeException ex) {
                throw new RuntimeException(
                        ANDROID_SOCKET_ENV + " unset or invalid", ex);
            }

            try {
				//构造一个LocalServerSocket对象
                sServerSocket = new LocalServerSocket(createFileDescriptor(fileDesc));
            } catch (IOException ex) {
                throw new RuntimeException(
                        "Error binding to local socket '" + fileDesc + "'", ex);
            }
        }
    }

在Init进程加载init.rc，如果要启动的服务需要一个Socket，则会将该Socket的地址写入到环境变量中。因此在registerZygoteSocket函数中，就会首先将这个地址从环境变量中读出来，并且接着用这个地址来创建一个LocalServerSocket对象，并用静态成员sServerSocket来保存该对象。

我们看一看LocalServerSocket对象的构造过程，LocalServerSocket的构造函数如下：

	private final LocalSocketImpl impl;
    private final LocalSocketAddress localAddress;
	private static final int LISTEN_BACKLOG = 50;
    public LocalServerSocket(FileDescriptor fd) throws IOException
    {	
		//构造一个LocalSocketImpl对象
        impl = new LocalSocketImpl(fd);
		//进行监听
        impl.listen(LISTEN_BACKLOG);
        localAddress = impl.getSockAddress();
    }

在LocalServerSocket类中，有一个类型为LocalSocketImpl成员impl, impl是真正执行Socket操作的对象，因此在这个会首先创建一个LocalSocketImpl对象，并且设置LocalSocketImpl要监听的文件操作符。

我们一起看看LocalSocketImpl的构造和listen过程：

	private FileDescriptor fd;
	LocalSocketImpl(FileDescriptor fd) throws IOException
    {
        this.fd = fd;
    }
	
	protected void listen(int backlog) throws IOException
    {
        if (fd == null) {
            throw new IOException("socket not created");
        }
		
		//调用C++层的listen函数
        listen_native(fd, backlog);
    }

在listen会调用JNI的listen_native函数，在listen_native中会执行listen函数。

当执行完LocalSocketImpl的listen函数之后，程序会一直返回到ZygoteInit的main函数中，接着main函数会判断参数中是否设置了"start-system-server", 如果是，则说明需要启动SystemServer进程，而在init.rc脚本中，是有"start-system-server"参数的, 因此会启动SystemServer进程，关于SystemServer进程的启动，我们以后再分析。

main函数会接着执行，main会将Socket启动起来，来等待连接。我们来看一下runSelectLoopMode函数的实现：

	private static void runSelectLoopMode() throws MethodAndArgsCaller {
        ArrayList<FileDescriptor> fds = new ArrayList();
        ArrayList<ZygoteConnection> peers = new ArrayList();
        FileDescriptor[] fdArray = new FileDescriptor[4];

        fds.add(sServerSocket.getFileDescriptor());
        peers.add(null);

        int loopCount = GC_LOOP_COUNT;
		//死循环，监听连接
        while (true) {
            int index;

            /*
             * Call gc() before we block in select().
             * It's work that has to be done anyway, and it's better
             * to avoid making every child do it.  It will also
             * madvise() any free memory as a side-effect.
             *
             * Don't call it every time, because walking the entire
             * heap is a lot of overhead to free a few hundred bytes.
             */
            if (loopCount <= 0) {
                gc();
                loopCount = GC_LOOP_COUNT;
            } else {
                loopCount--;
            }


            try {
                fdArray = fds.toArray(fdArray);
				//select模式来监听连接请求
                index = selectReadable(fdArray);
            } catch (IOException ex) {
                throw new RuntimeException("Error in select()", ex);
            }

            if (index < 0) {
                throw new RuntimeException("Error in select()");
            } else if (index == 0) {
                ZygoteConnection newPeer = acceptCommandPeer();
                peers.add(newPeer);
                fds.add(newPeer.getFileDesciptor());
            } else {
                boolean done;
		//响应连接
                done = peers.get(index).runOnce();

                if (done) {
                    peers.remove(index);
                    fds.remove(index);
                }
            }
        }
    }

在runSelectLoopMode函数中，会循环监听连接请求，当有连接时，会调用ZygoteConnection的runOnce来响应该连接，在runOnce会fork一个进程，并进行一些初始化该进程的操作，我们在以后的文章中再分析该过程！

这样，我们就分析了Zygote进程的过程。从这个分析过程中，我们知道：

第一，Zygote进程是由Init进程fork出来的，以后所以的应用程序进程都是由Zygote进程Fork出来的。

第二，在Zygote进程启动的时候，会加载一个虚拟机实例。所有的应用层通过复制Zygote的方式来获得自己的虚拟机实例

第三，在Zygote进程启动的时候，会启动一个Socket，ActivityManagerService会通过Socket连接来请求Zygote来生成新的进程

第四，Zygote在启动的同时，会启动SystemServer进程，以便启动关键服务。