Android FrameWork - 开机启动 SystemServer 进程

基于安卓 12 源码分析

相关类：

frameworks/base/core/java/com/android/internal/os/ZygoteInit.java

frameworks/base/core/java/com/android/internal/os/Zygote.java

frameworks/base/core/java/com/android/internal/os/RuntimeInit.java

frameworks/base/services/java/com/android/server/SystemServer.java

frameworks/base/core/jni/AndroidRuntime.cpp

frameworks/base/cmds/app_process/app_main.cpp

frameworks/base/core/java/android/os/ServiceManager.java

frameworks/base/services/core/java/com/android/server/SystemServiceManager.java

在 ZygoteInit.java 的 main 方法中，启动了 SystemServer 进程：

if (startSystemServer) {Runnable r = forkSystemServer(abiList, zygoteSocketName, zygoteServer);// {@code r == null} in the parent (zygote) process, and {@code r != null} in the// child (system_server) process.if (r != null) {r.run();return;}
}

forkSystemServer 源码：

    private static Runnable forkSystemServer(String abiList, String socketName,ZygoteServer zygoteServer) {//  定义 system_server 进程所需的能力（Linux capabilities）//  这些能力决定了该进程可以执行哪些特权操作long capabilities = posixCapabilitiesAsBits(OsConstants.CAP_IPC_LOCK,// 锁定内存，防止被换出OsConstants.CAP_KILL,OsConstants.CAP_NET_ADMIN,OsConstants.CAP_NET_BIND_SERVICE,OsConstants.CAP_NET_BROADCAST,// 发送广播包OsConstants.CAP_NET_RAW,OsConstants.CAP_SYS_MODULE,OsConstants.CAP_SYS_NICE,OsConstants.CAP_SYS_PTRACE,OsConstants.CAP_SYS_TIME,// 修改系统时间OsConstants.CAP_SYS_TTY_CONFIG,OsConstants.CAP_WAKE_ALARM,// 设置唤醒闹钟OsConstants.CAP_BLOCK_SUSPEND);/* Containers run without some capabilities, so drop any caps that are not available. */StructCapUserHeader header = new StructCapUserHeader(OsConstants._LINUX_CAPABILITY_VERSION_3, 0);StructCapUserData[] data;try {data = Os.capget(header);} catch (ErrnoException ex) {throw new RuntimeException("Failed to capget()", ex);}capabilities &= ((long) data[0].effective) | (((long) data[1].effective) << 32);/* Hardcoded command line to start the system server */// 构造启动 system_server 的参数（硬编码，不可外部修改）String[] args = {"--setuid=1000", // UID 1000 = system 用户"--setgid=1000", // GID 1000 = system 组"--setgroups=1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1018,1021,1023,"+ "1024,1032,1065,3001,3002,3003,3006,3007,3009,3010,3011,3012","--capabilities=" + capabilities + "," + capabilities,"--nice-name=system_server","--runtime-args","--target-sdk-version=" + VMRuntime.SDK_VERSION_CUR_DEVELOPMENT,"com.android.server.SystemServer",// 要启动的主类};ZygoteArguments parsedArgs;int pid;try {// 将字符串参数解析为 ZygoteArguments 对象ZygoteCommandBuffer commandBuffer = new ZygoteCommandBuffer(args);try {parsedArgs = ZygoteArguments.getInstance(commandBuffer);} catch (EOFException e) {throw new AssertionError("Unexpected argument error for forking system server", e);}commandBuffer.close();Zygote.applyDebuggerSystemProperty(parsedArgs);Zygote.applyInvokeWithSystemProperty(parsedArgs);if (Zygote.nativeSupportsMemoryTagging()) {/* The system server has ASYNC MTE by default, in order to allow* system services to specify their own MTE level later, as you* can't re-enable MTE once it's disabled. */String mode = SystemProperties.get("arm64.memtag.process.system_server", "async");if (mode.equals("async")) {parsedArgs.mRuntimeFlags |= Zygote.MEMORY_TAG_LEVEL_ASYNC;} else if (mode.equals("sync")) {parsedArgs.mRuntimeFlags |= Zygote.MEMORY_TAG_LEVEL_SYNC;} else if (!mode.equals("off")) {/* When we have an invalid memory tag level, keep the current level. */parsedArgs.mRuntimeFlags |= Zygote.nativeCurrentTaggingLevel();Slog.e(TAG, "Unknown memory tag level for the system server: "" + mode + """);}} else if (Zygote.nativeSupportsTaggedPointers()) {/* Enable pointer tagging in the system server. Hardware support for this is present* in all ARMv8 CPUs. */parsedArgs.mRuntimeFlags |= Zygote.MEMORY_TAG_LEVEL_TBI;}// ...// 调用 native 层 fork 出 system_server 进程pid = Zygote.forkSystemServer(parsedArgs.mUid, parsedArgs.mGid,parsedArgs.mGids,parsedArgs.mRuntimeFlags,null,parsedArgs.mPermittedCapabilities,parsedArgs.mEffectiveCapabilities);} catch (IllegalArgumentException ex) {throw new RuntimeException(ex);}/* For child process */// fork 返回后，区分父子进程// pid == 0 表示当前在 **子进程（system_server）** 中运行if (pid == 0) {if (hasSecondZygote(abiList)) {waitForSecondaryZygote(socketName);}// 关闭 Zygote 的 socket（子进程不需要监听新请求）zygoteServer.closeServerSocket();// 真正进入 SystemServer.main()，启动各种系统服务。return handleSystemServerProcess(parsedArgs);}return null;}

Zygote.forkSystemServer 源码：

frameworks/base/core/java/com/android/internal/os/Zygote.java

    static int forkSystemServer(int uid, int gid, int[] gids, int runtimeFlags,int[][] rlimits, long permittedCapabilities, long effectiveCapabilities) {ZygoteHooks.preFork();int pid = nativeForkSystemServer(uid, gid, gids, runtimeFlags, rlimits,permittedCapabilities, effectiveCapabilities);// Set the Java Language thread priority to the default value for new apps.Thread.currentThread().setPriority(Thread.NORM_PRIORITY);ZygoteHooks.postForkCommon();return pid;}private static native int nativeForkSystemServer(int uid, int gid, int[] gids, int runtimeFlags,int[][] rlimits, long permittedCapabilities, long effectiveCapabilities);

nativeForkSystemServer 是实现在 以下文件中：

frameworks/base/core/jni/com_android_internal_os_Zygote.cpp

前景回顾：

在前面分析 AndroidRuntime::start 代码时，我们知道 startReg 就是注册 JNI 方法 的

// frameworks/base/core/jni/AndroidRuntime.cpp
void AndroidRuntime::start(...) {...JniInvocation jni_invocation;jni_invocation.Init(NULL);JNIEnv* env;if (startVm(&mJavaVM, &env, zygote) != 0) {return;}...// 注册 JNI 方法，包括 com_android_internal_os_Zygote.cpp 里的 native 方法if (startReg(env) < 0) {return;}...
}

startReg(env) 会调用 register_jni_procs 加载一系列 cpp 文件 其中就包括 register_com_android_internal_os_Zygote：

// frameworks/base/core/jni/AndroidRuntime.cpp
int register_jni_procs(...) {...REG_JNI(register_com_android_internal_os_Zygote),...
}

nativeForkSystemServer 关键源码：

// com_android_internal_os_Zygote.cpp
static jint com_android_internal_os_Zygote_nativeForkSystemServer(JNIEnv* env, jclass, jint uid, jint gid, jintArray gids,jint runtime_flags, jobjectArray rlimits,jlong permittedCapabilities, jlong effectiveCapabilities) {pid_t pid = zygote::ForkCommon(env, /*is_system_server=*/true, ...);if (pid == 0) {// 子进程逻辑：进入 system_server} else if (pid > 0) {// 父进程逻辑}// 返回 pid 给 Java 层return pid;
}

可以看到 nativeForkSystemServer 最终会调用 ForkCommon() → 里面再去调用 Linux 的 fork() 系统调用。

呃… 分析岔劈了…

在安卓 10 之前，启动系统服务是通过 ZygoteInit 中抛出一个特殊的异常 ZygoteInit.MethodAndArgsCaller，最后在 catch 里调用 main()。到 Android 12 已经变成 直接 return Runnable， 所以应该去找到这个 Runnable。

在 ZygoteInit.java 的 forkSystemServer 方法中，SystemServer 进程调用了 handleSystemServerProcess 去启动 系统服务：

    private static Runnable forkSystemServer(String abiList, String socketName,ZygoteServer zygoteServer) {// .../* For child process */if (pid == 0) {if (hasSecondZygote(abiList)) {waitForSecondaryZygote(socketName);}zygoteServer.closeServerSocket();return handleSystemServerProcess(parsedArgs);}return null;}

接着在 handleSystemServerProcess 中 调用 zygoteInit：

    private static Runnable handleSystemServerProcess(ZygoteArguments parsedArgs) {//.../** Pass the remaining arguments to SystemServer.*/// 启动 runtimereturn ZygoteInit.zygoteInit(parsedArgs.mTargetSdkVersion,parsedArgs.mDisabledCompatChanges,parsedArgs.mRemainingArgs, cl);}/* should never reach here */}

继续调用 RuntimeInit.applicationInit：

    public static Runnable zygoteInit(int targetSdkVersion, long[] disabledCompatChanges,String[] argv, ClassLoader classLoader) {if (RuntimeInit.DEBUG) {Slog.d(RuntimeInit.TAG, "RuntimeInit: Starting application from zygote");}Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "ZygoteInit");RuntimeInit.redirectLogStreams();RuntimeInit.commonInit();ZygoteInit.nativeZygoteInit();//进入 binder、signal 等 native 初始化（对应 app_main.cpp 的 onZygoteInit）return RuntimeInit.applicationInit(targetSdkVersion, disabledCompatChanges, argv,classLoader);}

然后来到 RuntimeInit.java 中的 applicationInit:

frameworks/base/core/java/com/android/internal/os/RuntimeInit.java

protected static Runnable applicationInit(int targetSdkVersion, String[] argv, ClassLoader classLoader) {final Arguments args = new Arguments(argv);return findStaticMain(args.startClass, args.startArgs, classLoader);
}

这里会解析参数，找到启动类：com.android.server.SystemServer，记住这里的 所有参数就是上面的 构造启动 system_server 的参数，包括写死的 com.android.server.SystemServer

findStaticMain()：

private static Runnable findStaticMain(String className, String[] argv, ClassLoader classLoader) {Class<?> cl = Class.forName(className, true, classLoader);Method m = cl.getMethod("main", new Class[] { String[].class });return new MethodAndArgsCaller(m, argv);
}

构造一个 MethodAndArgsCaller (实现了 Runnable) ，持有 SystemServer.main() 的反射方法。

MethodAndArgsCaller:

static class MethodAndArgsCaller implements Runnable {private final Method mMethod;private final String[] mArgs;public MethodAndArgsCaller(Method method, String[] args) {mMethod = method;mArgs = args;}public void run() {try {mMethod.invoke(null, new Object[] { mArgs });} catch (InvocationTargetException ex) {...}}
}

回到 ZygoteInit.main()：

Runnable r = forkSystemServer(...);
if (r != null) {r.run();   // <--- 这里直接执行 SystemServer.main()
}

至此调用链为：

ZygoteInit.main()   [frameworks/base/core/java/com/android/internal/os/ZygoteInit.java]-> forkSystemServer()-> handleSystemServerProcess()-> ZygoteInit.zygoteInit()-> RuntimeInit.applicationInit()-> RuntimeInit.findStaticMain()-> new MethodAndArgsCaller(SystemServer.main)-> r.run()  // MethodAndArgsCaller.run()-> SystemServer.main()  [frameworks/base/services/java/com/android/server/SystemServer.java]

SystemServer.main()：

frameworks/base/services/java/com/android/server/SystemServer.java

public static void main(String[] args) {new SystemServer().run();
}

    private void run() {TimingsTraceAndSlog t = new TimingsTraceAndSlog();try {//...// 主线程 looperLooper.prepareMainLooper();Looper.getMainLooper().setSlowLogThresholdMs(SLOW_DISPATCH_THRESHOLD_MS, SLOW_DELIVERY_THRESHOLD_MS);//...// Initialize native services.System.loadLibrary("android_servers");//...// 初始化系统上下文环境createSystemContext();//...// 创建系统服务管理mSystemServiceManager = new SystemServiceManager(mSystemContext);mSystemServiceManager.setStartInfo(mRuntimeRestart,mRuntimeStartElapsedTime, mRuntimeStartUptime);mDumper.addDumpable(mSystemServiceManager);LocalServices.addService(SystemServiceManager.class, mSystemServiceManager);// 启动各种服务try {t.traceBegin("StartServices");startBootstrapServices(t);startCoreServices(t);startOtherServices(t);} catch (Throwable ex) {Slog.e("System", "******************************************");Slog.e("System", "************ Failure starting system services", ex);throw ex;} finally {t.traceEnd(); // StartServices}//...// Loop forever.Looper.loop();throw new RuntimeException("Main thread loop unexpectedly exited");}

这个 run() 方法是 system_server 进程启动后执行的主逻辑，负责：

• 初始化系统运行环境
• 启动数百个系统服务（如 ActivityManager、PackageManager、PowerManager 等）
• 建立主线程 Looper 循环，使系统持续运行

还有一个重要的地方，就是 binder 线程池的启动，启动binder 线程池后SystemServer进程就可以与其他进程进行通信了，在之前的安卓源码中，binder 线程池的启动都是放在启动 SystemServer 时创建的，而安卓 12 是在

Zygote 初始化阶段启动！

流程如下：

ZygoteInit.java↓ nativeZygoteInit() (JNI)↓
AndroidRuntime.cpp↓ com_android_internal_os_ZygoteInit_nativeZygoteInit()↓ gCurRuntime->onZygoteInit()  ← 虚函数调用↓
AppRuntime.cpp (app_main.cpp)↓ AppRuntime::onZygoteInit()↓ ProcessState::self()->startThreadPool()↓
Binder 驱动开始监听 /dev/binder

SystemServiceManager 和 ServiceManager：

在SystemServer 中创建了这两个类，使用 如下：

SystemServiceManager.startService()
ServiceManager.addService()

SystemServiceManager 功能是在 SystemServer 进程内部启动一个服务对象，让它运行起来，具备自己的逻辑。

ServiceManager 功能是注册 Binder IPC 接口，让其他进程能通过 binder 与该服务交互。

系统服务启动后都会交给 ServiceManager 来管理，另外ServiceManager 是 Android 的系统服务目录，SystemServer 把它创建的服务注册到 ServiceManager，以便其他进程通过名字找到并通信。管理着 SystemServer 对外暴露的所有服务入口。

最后，SystemServer进程被创建后，主要做了如下工作：

1. 创建SystemServiceManager，其用于对系统的服务进行创建、启动和生命周期管理。
2. 启动各种系统服务。