当前位置: 代码迷 >> Android >> 归藏 Android系统 init 启动过程分析
  详细解决方案

归藏 Android系统 init 启动过程分析

热度:44   发布时间:2016-05-01 15:42:52.0
收藏 Android系统 init 启动过程分析
Android init 启动过程分析



分析android的启动过程,从内核之上,我们首先应该从文件系统的init开始,因为 init 是内核进入文件系统后第一个运行的程序,通常我们可以在linux的命令行中指定内核第一个调用谁,如果没指定那么内核将会到/sbin/, /bin/ 等目录下查找默认的init,如果没有找到那么就报告出错。
下面是曾经用过的几种开发板的命令行参数:
S3C2410 启动参数:
noinitrd root=/dev/nfs  nfsroot=192.168.2.56:/nfsroot/rootfs   ip=192.168.2.188:192.168.2.56:192.168.2.56:255.255.255.0::eth0:on console=ttySAC0
S3C2440 启动参数:
setenv bootargs console=ttySAC0 root=/dev/nfs nfsroot=192.168.2.56:/nfsroot/rootfs ip=192.168.2.175:192.168.2.56:192.168.2.201:255.255.255.0::eth0:on mem=64M init=/init        
marvell 310 启动参数:
boot root=/dev/nfs nfsroot=192.168.2.56:/nfsroot/rootfs,rsize=1024,wsize=1024 ip=192.168.2.176:192.168.2.201:192.168.2.201:255.255.255.0::eth0:-On  console=ttyS2,115200 mem=64M init=/init

init的源代码在文件:./system/core/init/init.c 中,init会一步步完成下面的任务:
1.初始化log系统

2.解析/init.rc和/init.%hardware%.rc文件 

3. 执行 early-init action in the two files parsed in step 2. 

4. 设备初始化,例如:在 /dev 下面创建所有设备节点,下载 firmwares. 

5. 初始化属性服务器,Actually the property system is working as a share memory. Logically it looks like a registry under Windows system. 

6. 执行 init action in the two files parsed in step 2. 

7. 开启 属性服务。

8. 执行 early-boot and boot actions in the two files parsed in step 2. 

9. 执行 Execute property action in the two files parsed in step 2. 

10. 进入一个无限循环 to wait for device/property set/child process exit events.例如, 如果SD卡被插入,init会收到一个设备插入事件,它会为这个设备创建节点。系统中比较重要的进程都是由init来fork的,所以如果他们他谁崩溃了,那么init 将会收到一个 SIGCHLD 信号,把这个信号转化为子进程退出事件, 所以在loop中,init 会操作进程退出事件并且执行 *.rc 文件中定义的命令。
例如,在init.rc中,因为有:
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
    socket zygote stream 666
    onrestart write /sys/android_power/request_state wake
    onrestart write /sys/power/state on
所以,如果zygote因为启动某些服务导致异常退出后,init将会重新去启动它。

int main(int argc, char **argv)
{
    ...
    //需要在后面的程序中看打印信息的话,需要屏蔽open_devnull_stdio()函数
    open_devnull_stdio();
    ...
    //初始化log系统
    log_init();
    //解析/init.rc和/init.%hardware%.rc文件
    parse_config_file("/init.rc");
    ...
    snprintf(tmp, sizeof(tmp), "/init.%s.rc", hardware);
    parse_config_file(tmp);
    ...
    //执行 early-init action in the two files parsed in step 2.
    action_for_each_trigger("early-init", action_add_queue_tail);
    drain_action_queue();
    ...
    /* execute all the boot actions to get us started */
    /* 执行 init action in the two files parsed in step 2 */
    action_for_each_trigger("init", action_add_queue_tail);
    drain_action_queue();
    ...
    /* 执行 early-boot and boot actions in the two files parsed in step 2 */
    action_for_each_trigger("early-boot", action_add_queue_tail);
    action_for_each_trigger("boot", action_add_queue_tail);
    drain_action_queue();

    /* run all property triggers based on current state of the properties */
    queue_all_property_triggers();
    drain_action_queue();

    /* enable property triggers */ 
    property_triggers_enabled = 1;   
    ...
    for(;;) {
        int nr, timeout = -1;
    ...
        drain_action_queue();
        restart_processes();

        if (process_needs_restart) {
            timeout = (process_needs_restart - gettime()) * 1000;
            if (timeout < 0)
                timeout = 0;
        }
     ...
        nr = poll(ufds, 3, timeout);
        if (nr <= 0)
            continue;

        if (ufds[2].revents == POLLIN) {
            /* we got a SIGCHLD - reap and restart as needed */
            read(signal_recv_fd, tmp, sizeof(tmp));
            while (!wait_for_one_process(0))
                ;
            continue;
        }

        if (ufds[0].revents == POLLIN)
            handle_device_fd(device_fd);

        if (ufds[1].revents == POLLIN)
    {
            handle_property_set_fd(property_set_fd);
    }
    }

    return 0;
}


2.解析init.rc脚本
init.rc 脚本的具体语法可以参考下面文档
http://www.kandroid.org/android_pdk/bring_up.html
名词解释:
Android初始化語言由四大类声明组成:行为类(Actions),命令类(Commands),服务类(Services),选项类(Options).
初始化语言以行为单位,由以空格间隔的语言符号組成。C风格的反斜杠转义符可以用来插入空白到语言符号。双引号也可以用来防止文本被空格分成多个语言符号。当反斜杠在行末时,作为换行符。
* 以#开始(前面允许空格)的行为注释。
* Actions和Services隐含声明一个新的段落。所有该段落下Commands或Options的声明属于该段落。第一段落前的Commands或Options被忽略。
* Actions和Services拥有唯一的命名。在他们之后声明相同命名的类将被当作错误并忽略。
Actions是一系列命令的命名。Actions拥有一个触发器(trigger)用来決定action何時执行。当一个action在符合触发条件被执行时,如果它还没被加入到待执行队列中的话,則加入到队列最后。
队列中的action依次执行,action中的命令也依次执行。Init在执行命令的中间处理其他活动(设备创建/销毁,property 设置,进程重启)。

Actions的表现形式:
on <trigger>
  <command>
  <command>
  <command>
重要的数据结构
两个列表,一个队列。
static list_declare(service_list);
static list_declare(action_list);
static list_declare(action_queue);
*.rc 脚本中所有 service关键字定义的服务将会添加到 service_list 列表中。
*.rc 脚本中所有 on     关键开头的项将会被会添加到 action_list 列表中。
每个action列表项都有一个列表,此列表用来保存该段落下的 Commands

脚本解析过程:
parse_config_file("/init.rc")
int parse_config_file(const char *fn)
{
    char *data;
    data = read_file(fn, 0);
    if (!data) return -1;

    parse_config(fn, data);
    DUMP();
    return 0;
}
static void parse_config(const char *fn, char *s)

    ...
    case T_NEWLINE:
        if (nargs) {
            int kw = lookup_keyword(args[0]);
            if (kw_is(kw, SECTION)) {
                state.parse_line(&state, 0, 0);
                parse_new_section(&state, kw, nargs, args);
            } else {
                state.parse_line(&state, nargs, args);
            }
            nargs = 0;
        }
   ...


parse_config会逐行对脚本进行解析,如果关键字类型为  SECTION ,那么将会执行 parse_new_section()
类型为 SECTION 的关键字有: on 和 sevice
关键字类型定义在 Parser.c (system\core\init) 文件中
Parser.c (system\core\init)
#define SECTION 0x01
#define COMMAND 0x02
#define OPTION  0x04
关键字        属性      
capability,  OPTION,  0, 0)
class,       OPTION,  0, 0)
class_start, COMMAND, 1, do_class_start)
class_stop,  COMMAND, 1, do_class_stop)
console,     OPTION,  0, 0)
critical,    OPTION,  0, 0)
disabled,    OPTION,  0, 0)
domainname,  COMMAND, 1, do_domainname)
exec,        COMMAND, 1, do_exec)
export,      COMMAND, 2, do_export)
group,       OPTION,  0, 0)
hostname,    COMMAND, 1, do_hostname)
ifup,        COMMAND, 1, do_ifup)
insmod,      COMMAND, 1, do_insmod)
import,      COMMAND, 1, do_import)
keycodes,    OPTION,  0, 0)
mkdir,       COMMAND, 1, do_mkdir)
mount,       COMMAND, 3, do_mount)
on,          SECTION, 0, 0)
oneshot,     OPTION,  0, 0)
onrestart,   OPTION,  0, 0)
restart,     COMMAND, 1, do_restart)
service,     SECTION, 0, 0)
setenv,      OPTION,  2, 0)
setkey,      COMMAND, 0, do_setkey)
setprop,     COMMAND, 2, do_setprop)
setrlimit,   COMMAND, 3, do_setrlimit)
socket,      OPTION,  0, 0)
start,       COMMAND, 1, do_start)
stop,        COMMAND, 1, do_stop)
trigger,     COMMAND, 1, do_trigger)
symlink,     COMMAND, 1, do_symlink)
sysclktz,    COMMAND, 1, do_sysclktz)
user,        OPTION,  0, 0)
write,       COMMAND, 2, do_write)
chown,       COMMAND, 2, do_chown)
chmod,       COMMAND, 2, do_chmod)
loglevel,    COMMAND, 1, do_loglevel)
device,      COMMAND, 4, do_device)

parse_new_section()中再分别对 service 或者 on 关键字开头的内容进行解析。
    ...
    case K_service:
        state->context = parse_service(state, nargs, args);
        if (state->context) {
            state->parse_line = parse_line_service;
            return;
        }
        break;
    case K_on:
        state->context = parse_action(state, nargs, args);
        if (state->context) {
            state->parse_line = parse_line_action;
            return;
        }
        break;
    }
    ...

对 on 关键字开头的内容进行解析
static void *parse_action(struct parse_state *state, int nargs, char **args)
{
    ...
    act = calloc(1, sizeof(*act));
    act->name = args[1];
    list_init(&act->commands);
    list_add_tail(&action_list, &act->alist);
    ...
}

对 service 关键字开头的内容进行解析
static void *parse_service(struct parse_state *state, int nargs, char **args)
{
    struct service *svc;
    if (nargs < 3) {
        parse_error(state, "services must have a name and a program\n");
        return 0;
    }
    if (!valid_name(args[1])) {
        parse_error(state, "invalid service name '%s'\n", args[1]);
        return 0;
    }
    //如果服务已经存在service_list列表中将会被忽略
    svc = service_find_by_name(args[1]);
    if (svc) {
        parse_error(state, "ignored duplicate definition of service '%s'\n", args[1]);
        return 0;
    }
  
    nargs -= 2;
    svc = calloc(1, sizeof(*svc) + sizeof(char*) * nargs);
    if (!svc) {
        parse_error(state, "out of memory\n");
        return 0;
    }
    svc->name = args[1];
    svc->classname = "default";
    memcpy(svc->args, args + 2, sizeof(char*) * nargs);
    svc->args[nargs] = 0;
    svc->nargs = nargs;
    svc->onrestart.name = "onrestart";
    list_init(&svc->onrestart.commands);
    //添加该服务到 service_list 列表
    list_add_tail(&service_list, &svc->slist);
    return svc;
}
服务的表现形式:
service <name> <pathname> [ <argument> ]*
<option>
<option>
...

申请一个service结构体,然后挂接到service_list链表上,name 为服务的名称 pathname 为执行的命令 argument
为命令的参数。之后的 option 用来控制这个service结构体的属性,parse_line_service 会对 service关键字后的
内容进行解析并填充到 service 结构中 ,当遇到下一个service或者on关键字的时候此service选项解析结束。

例如:
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
    socket zygote stream 666
    onrestart write /sys/android_power/request_state wake
服务名称为:                           zygote
启动该服务执行的命令:                 /system/bin/app_process
命令的参数:                           -Xzygote /system/bin --zygote --start-system-server
socket zygote stream 666: 创建一个名为:/dev/socket/zygote 的 socket ,类型为:stream

当*.rc 文件解析完成以后:
action_list 列表项目如下:
on init
on boot
on property:ro.kernel.qemu=1
on property:persist.service.adb.enable=1
on property:persist.service.adb.enable=0
init.marvell.rc 文件
on early-init
on init
on early-boot
on boot

service_list 列表中的项有:
service console
service adbd
service servicemanager
service mountd
service debuggerd
service ril-daemon
service zygote
service media
service bootsound
service dbus
service hcid
service hfag
service hsag
service installd
service flash_recovery


状态服务器相关:
在init.c 的main函数中启动状态服务器。
property_set_fd = start_property_service();
状态读取函数:
Property_service.c (system\core\init)
const char* property_get(const char *name)
Properties.c (system\core\libcutils)
int property_get(const char *key, char *value, const char *default_value)
状态设置函数:
Property_service.c (system\core\init)
int property_set(const char *name, const char *value)
Properties.c (system\core\libcutils)
int property_set(const char *key, const char *value)

在终端模式下我们可以通过执行命令 setprop <key> <value>
setprop 工具源代码所在文件: Setprop.c (system\core\toolbox)
Getprop.c (system\core\toolbox):        property_get(argv[1], value, default_value);
Property_service.c (system\core\init)
中定义的状态读取和设置函数仅供init进程调用,


handle_property_set_fd(property_set_fd);
  property_set()   //Property_service.c (system\core\init)
    property_changed(name, value) //Init.c (system\core\init)
      queue_property_triggers(name, value)
      drain_action_queue()
只要属性一改变就会被触发,然后执行相应的命令: 
例如:
在init.rc 文件中有
on property:persist.service.adb.enable=1
  start adbd
on property:persist.service.adb.enable=0
  stop adbd
所以如果在终端下输入:
setprop property:persist.service.adb.enable 1或者0
那么将会开启或者关闭adbd 程序。



执行action_list 中的命令:
从action_list 中取出 act->name 为 early-init 的列表项,再调用 action_add_queue_tail(act)将其插入到
队列 action_queue 尾部。drain_action_queue() 从action_list队列中取出队列项 ,然后执行act->commands
列表中的所有命令。
所以从  ./system/core/init/init.c mian()函数的程序片段:
action_for_each_trigger("early-init", action_add_queue_tail);
drain_action_queue();
action_for_each_trigger("init", action_add_queue_tail);
drain_action_queue();
action_for_each_trigger("early-boot", action_add_queue_tail);
action_for_each_trigger("boot", action_add_queue_tail);
drain_action_queue();
/* run all property triggers based on current state of the properties */
queue_all_property_triggers();
drain_action_queue();
可以看出,在解析完init.rc init.marvell.rc 文件后,action 命令执行顺序为:
执行act->name 为 early-init,act->commands列表中的所有命令
执行act->name 为 init,            act->commands列表中的所有命令
执行act->name 为 early-boot,act->commands列表中的所有命令
执行act->name 为 boot,            act->commands列表中的所有命令

关键的几个命令:
class_start default   启动所有service 关键字定义的服务。
class_start 在act->name为boot的 act->commands列表中,所以当 class_start 被触发后,实际
上调用的是函数 do_class_start()
int do_class_start(int nargs, char **args)
{
        /* Starting a class does not start services
         * which are explicitly disabled.  They must
         * be started individually.
         */
    service_for_each_class(args[1], service_start_if_not_disabled);
    return 0;
}
void service_for_each_class(const char *classname,
                            void (*func)(struct service *svc))
{
    struct listnode *node;
    struct service *svc;
    list_for_each(node, &service_list) {
        svc = node_to_item(node, struct service, slist);
        if (!strcmp(svc->classname, classname)) {
            func(svc);
        }
    }
}

因为在调用 parse_service() 添加服务列表的时候,所有服务 svc->classname 默认取值:"default",
所以 service_list 中的所有服务将会被执行。
参考文档:
http://blog.chinaunix.net/u1/38994/showart_1775465.html
http://blog.chinaunix.net/u1/38994/showart_1168440.html
浅析kernel启动的第1个用户进程init如何解读init.rc脚本
http://blog.chinaunix.net/u1/38994/showart_1168440.html



Zygote 服务概论:
Zygote 是android 系统中最重要的一个服务,它将一步一步完成下面的任务:
start Android Java Runtime and start system server. It’s the most important service. The source is in device/servers/app.
1. 创建JAVA 虚拟机
2. 为JAVA 虚拟机注册android 本地函数
3. 调用 com.android.internal.os.ZygoteInit 类中的main函数,android/com/android/internal/os/ZygoteInit.java.
a) 装载ZygoteInit类
b) 注册zygote socket
c) 装载preload classes(the default file is device/java/android/preloaded-classes)
d) 装载Load preload 资源
e) 调用 Zygote::forkSystemServer (定义在./dalvik/vm/InternalNative.c)来fork一个新的进程,在新进程中调用 com.android.server.SystemServer 的main函数。
a) 装载 libandroid_servers.so库
bb) 调用JNI native init1 函数 (device/libs/android_servers/com_android_server_SystemServers)
Load libandroid_servers.so
Call JNI native init1 function implemented in device/libs/android_servers/com_android_server_SystemServers. It only calls system_init implemented in device/servers/system/library/system_init.cpp.
If running on simulator, instantiate AudioFlinger, MediaPlayerService and CameraService here.
Call init2 function in JAVA class named com.android.server.SystemServer, whose source is in device/java/services/com/android/server. This function is very critical for Android because it start all of Android JAVA services.
If not running on simulator, call IPCThreadState::self()->joinThreadPool() to enter into service dispatcher.

SystemServer::init2 将会启动一个新的线程来启动下面的所有JAVA服务:
Core 服务:
1.  Starting Power Manager(电源管理)
2.  Creating Activity Manager(活动服务)
3.  Starting Telephony Registry(电话注册服务)
4.  Starting Package Manager(包管理器)
5.  Set Activity Manager Service as System Process
6.  Starting Context Manager
7.  Starting System Context Providers
8.  Starting Battery Service(电池服务)
9.  Starting Alarm Manager(闹钟服务)
10. Starting Sensor Service
11. Starting Window Manager(启动窗口管理器)
12. Starting Bluetooth Service(蓝牙服务)
13. Starting Mount Service

其他services:
1.  Starting Status Bar Service(状态服务)
2.  Starting Hardware Service(硬件服务)
3.  Starting NetStat Service(网络状态服务)
4.  Starting Connectivity Service
5.  Starting Notification Manager
6.  Starting DeviceStorageMonitor Service
7.  Starting Location Manager
8.  Starting Search Service(查询服务)
9.  Starting Clipboard Service
10. Starting Checkin Service
11. Starting Wallpaper Service
12. Starting Audio Service
13. Starting HeadsetObserver
14. Starting AdbSettingsObserver

最后SystemServer::init2 将会调用 ActivityManagerService.systemReady 通过发送
Intent.CATEGORY_HOME intent来启动第一个 activity.还有另外一种启动system server的方法是:
通过名为 system_server的程序(源代码:device/servers/system/system_main.cpp)它也是通过
调用 system_init 来启动 system services,这时候就有个问题:为什么android 有两种方式启动system services?
我的猜想是:
My guess is that directly start system_server may have synchronous problem with zygote because system_server will call JNI to start SystemServer::init2, while at that time zygote may not start JAVA VM yet. So Android uses another method. After zynote is initialized, fork a new process to start system services.


Zygote服务启动的详细过程:
通过启动服务列表的 app_process 进程,实际上进入的是
App_main.cpp (frameworks\base\cmds\app_process)
main()
根据 init.rc 中的 --zygote --start-system-server
分别调用的是
runtime.start("com.android.internal.os.ZygoteInit",startSystemServer);
或者
runtime.start();
start()函数在 AndroidRuntime.cpp (frameworks\base\core\jni)文件中
从打印信息:
D/AndroidRuntime(   56): >>>>>>>>>>>>>> AndroidRuntime START <<<<<<<<<<<<<<
也可以看出调用的是:
AndroidRuntime::start(const char* className, const bool startSystemServer)
  JNI_CreateJavaVM()
  startReg()
    LOGD("--- registering native functions ---\n");
  startMeth = env->GetStaticMethodID(startClass, "main","([Ljava/lang/String;)V");
  从上面的调用可以看出一类引用的过程都是从 main方法
所以接着调用了 ZygoteInit 类的main方法
main方法主要完成:
1.Register zygote socket, Registers a server socket for zygote command connections
2.Load preload classes(the default file is device/java/android/preloaded-classes).
3.Load preload resources, Load in commonly used resources, so they can be shared across processes.
4.Start SystemServer, Prepare the arguments and fork for the system server process.
具体执行过程如下:
ZygoteInit.java (frameworks\base\core\java\com\android\internal\os)中的mian
main()
  registerZygoteSocket()
  preloadClasses()
    loadLibrary()
      Log.i(TAG, "Preloading classes...");
    Runtime.loadLibrary
      Dalvik_java_lang_Runtime_nativeLoad()
        dvmLoadNativeCode()
          LOGD("Trying to load lib %s %p\n", pathName, classLoader);
          System.loadLibrary("media_jni");
  preloadResources();
  startSystemServer()
    Zygote.forkSystemServer(parsedArgs.uid, parsedArgs.gid,parsedArgs.gids, debugFlags, null);
    //Zygote.java (dalvik\libcore\dalvik\src\main\java\dalvik\system)
      forkSystemServer()
        forkAndSpecialize()   //Zygote.java (dalvik\libcore\dalvik\src\main\java\dalvik\system)
          Dalvik_dalvik_system_Zygote_forkAndSpecialize() //dalvik_system_Zygote.c (dalvik\vm\native)
            Dalvik_dalvik_system_Zygote_forkAndSpecialize()
              setSignalHandler()
              fork()
      handleSystemServerProcess() //handleChildProc(parsedArgs, descriptors, newStderr);
        closeServerSocket();
      RuntimeInit.zygoteInit(parsedArgs.remainingArgs);
        zygoteInit()         //RuntimeInit.java (frameworks\base\core\java\com\android\internal\os)
          zygoteInitNative()
            invokeStaticMain()
              System.loadLibrary("android_servers");
              //com.android.server.SystemServer startSystemServer() 函数中
              m = cl.getMethod("main", new Class[] { String[].class });
                //执行的是SystemServer 类的main函数 SystemServer.java (frameworks\base\services\java\com\android\server)
                init1() //SystemServer.java (frameworks\base\services\java\com\android\server)            
                  //init1()实际上是调用android_server_SystemServer_init1(JNIEnv* env, jobject clazz)
                  //com_android_server_SystemServer.cpp (frameworks\base\services\jni)
                android_server_SystemServer_init1()//JNI 调用
                  system_init() //System_init.cpp (frameworks\base\cmds\system_server\library)
                    // Start the SurfaceFlinger
                    SurfaceFlinger::instantiate();
                    //Start the AudioFlinger media playback  camera service
                      AudioFlinger::instantiate();
                      MediaPlayerService::instantiate();
                      CameraService::instantiate();
                      //调用 SystemServer 类的init2
                      runtime->callStatic("com/android/server/SystemServer", "init2");
                      init2()//SystemServer.java (frameworks\base\services\java\com\android\server)
                      ServerThread()
                        run()//在run中启动电源管理,蓝牙,等核心服务以及状态,查找等其他服务
                         ((ActivityManagerService)ServiceManager.getService("activity")).setWindowManager(wm);
                         ...
                         ActivityManagerNative.getDefault().systemReady();        
  runSelectLoopMode();
    done = peers.get(index).runOnce();
      forkAndSpecialize()   //Zygote.java (dalvik\libcore\dalvik\src\main\java\dalvik\system)
        Dalvik_dalvik_system_Zygote_forkAndSpecialize() //dalvik_system_Zygote.c (dalvik\vm\native)
          forkAndSpecializeCommon()     
            setSignalHandler()
          RETURN_INT(pid);               
  closeServerSocket();

见附A
主進程runSelectLoopMode()
5.Runs the zygote process's select loop runSelectLoopMode(), Accepts new connections as they happen, and reads commands from connections one spawn-request's worth at a time.
如果运行正常,则zygote进程会在runSelectLoopMode()中循环:



zygote 被siganl(11)终止
在  dalvik_system_Zygote.c (dalvik\vm\native)
的 static void sigchldHandler(int s) 函数中打印:             
"Process %d terminated by signal (%d)\n",
"Exit zygote because system server (%d) has terminated\n",




startSystemServer() ZygoteInit.java (frameworks\base\core\java\com\android\internal\os)
SystemServer 的mian()函数会调用
SystemServer.java (frameworks\base\services\java\com\android\server)中的 init1()函数。
init1()实际执行的是com_android_server_SystemServer.cpp (frameworks\base\services\jni)
中的 android_server_SystemServer_init1()。
android_server_SystemServer_init1()调用的是
System_init.cpp (frameworks\base\cmds\system_server\library) 中的 system_init()函数
system_init()函数定义如下:
extern "C" status_t system_init()
{
    ...
    sp<IServiceManager> sm = defaultServiceManager();
    ...
    property_get("system_init.startsurfaceflinger", propBuf, "1");
    if (strcmp(propBuf, "1") == 0) {
        //读取属性服务器,开启启动 SurfaceFlinger服务
        //接着会开始显示机器人图标
        //BootAnimation.cpp (frameworks\base\libs\surfaceflinger):status_t BootAnimation::readyToRun()
        SurfaceFlinger::instantiate();

    }
    //在模拟器上 audioflinger 等几个服务与设备上的启动过程不一样,所以
    //我们在这里启动他们。

    if (!proc->supportsProcesses()) {
        //启动 AudioFlinger,media playback service,camera service服务
        AudioFlinger::instantiate();
        MediaPlayerService::instantiate();
        CameraService::instantiate();
    }
    //现在开始运行 the Android runtime ,我们这样做的目的是因为必须在 core system services
    //起来以后才能 Android runtime initialization,其他服务在调用他们自己的main()时,都会
    //调用 Android runtime
    //before calling the init function.
    LOGI("System server: starting Android runtime.\n");
    AndroidRuntime* runtime = AndroidRuntime::getRuntime();
    LOGI("System server: starting Android services.\n");
    //调用 SystemServer.java (frameworks\base\services\java\com\android\server)
    //中的init2函数
    runtime->callStatic("com/android/server/SystemServer", "init2");
      
    // If running in our own process, just go into the thread
    // pool.  Otherwise, call the initialization finished
    // func to let this process continue its initilization.
    if (proc->supportsProcesses()) {
        LOGI("System server: entering thread pool.\n");
        ProcessState::self()->startThreadPool();
        IPCThreadState::self()->joinThreadPool();
        LOGI("System server: exiting thread pool.\n");
    }
    return NO_ERROR;
}


System server: entering thread pool 表明已经进入服务线程 ServerThread
在 ServerThread 类的run 服务中开启核心服务:
    @Override
    public void run() {
        EventLog.writeEvent(LOG_BOOT_PROGRESS_SYSTEM_RUN,
            SystemClock.uptimeMillis());

        ActivityManagerService.prepareTraceFile(false);     // create dir

        Looper.prepare();
    //设置线程的优先级
        android.os.Process.setThreadPriority(
                android.os.Process.THREAD_PRIORITY_FOREGROUND);
    ...
        //关键(核心)服务
        try {
            Log.i(TAG, "Starting Power Manager.");
            Log.i(TAG, "Starting ?activity Manager.");
            Log.i(TAG, "Starting telephony registry");
            Log.i(TAG, "Starting Package Manager.");
            Log.i(TAG, "?tarting Content Manager.");
            Log.i(TAG, "Starting System Content Providers.");
            Log.i(TAG, "Starting Battery Service.");
            Log.i(TAG, "Starting Alarm Manager.");
            Log.i(TAG, "Starting Sensor Service.");
            Log.i(TAG, "Starting Window Manager.");
            Log.i(TAG, "Starting Bluetooth Service.");
            //如果是模拟器,那么跳过蓝牙服务。
            // Skip Bluetooth if we have an emulator kernel
         //其他的服务
            Log.i(TAG, "Starting Status Bar Service.");
            Log.i(TAG, "Starting Clipboard Service.");
            Log.i(TAG, "Starting Input Method Service.");
            Log.i(TAG, "Starting Hardware Service.");
            Log.i(TAG, "Starting NetStat Service.");
            Log.i(TAG, "Starting Connectivity Service.");
            Log.i(TAG, "Starting Notification Manager.");
            // MountService must start after NotificationManagerService
            Log.i(TAG, "Starting Mount Service.");
        Log.i(TAG, "Starting DeviceStorageMonitor service");
            Log.i(TAG, "Starting Location Manager.");
            Log.i(TAG, "Starting Search Service.");
            ...
            if (INCLUDE_DEMO) {
                Log.i(TAG, "Installing demo data...");
                (new DemoThread(context)).start();
            }
            try {
                Log.i(TAG, "Starting Checkin Service.");
                Intent intent = new Intent().setComponent(new ComponentName(
                        "com.google.android.server.checkin",
                        "com.google.android.server.checkin.CheckinService"));
                if (context.startService(intent) == null) {
                    Log.w(TAG, "Using fallback Checkin Service.");
                    ServiceManager.addService("checkin", new FallbackCheckinService(context));
                }
            } catch (Throwable e) {
                Log.e(TAG, "Failure starting Checkin Service", e);
            }


            Log.i(TAG, "Starting Wallpaper Service");
        Log.i(TAG, "Starting Audio Service");
            Log.i(TAG, "Starting HeadsetObserver");
            Log.i(TAG, "Starting AppWidget Service");
        ...
            try {
                com.android.server.status.StatusBarPolicy.installIcons(context, statusBar);
            } catch (Throwable e) {
                Log.e(TAG, "Failure installing status bar icons", e);
            }
        }

        // make sure the ADB_ENABLED setting value matches the secure property value
        Settings.Secure.putInt(mContentResolver, Settings.Secure.ADB_ENABLED,
                "1".equals(SystemProperties.get("persist.service.adb.enable")) ? 1 : 0);

        // register observer to listen for settings changes
        mContentResolver.registerContentObserver(Settings.Secure.getUriFor(Settings.Secure.ADB_ENABLED),
                false, new AdbSettingsObserver());

        // It is now time to start up the app processes...
        boolean safeMode = wm.detectSafeMode();
        if (statusBar != null) {
            statusBar.systemReady();
        }
        if (imm != null) {
            imm.systemReady();
        }
        wm.systemReady();
        power.systemReady();
        try {
            pm.systemReady();
        } catch (RemoteException e) {
        }
        if (appWidget != null) {
            appWidget.systemReady(safeMode);
        }

        // After making the following code, third party code may be running...
        try {
            ActivityManagerNative.getDefault().systemReady();
        } catch (RemoteException e) {
        }

        Watchdog.getInstance().start();

        Looper.loop();
        Log.d(TAG, "System ServerThread is exiting!");
    }



startActivity()
  mRemote.transact(START_ACTIVITY_TRANSACTION, data, reply, 0);


ActivityManagerService.java 3136p (frameworks\base\services\java\com\android\server\am)
  startActivity()
    startActivityLocked() //3184
    int res = startActivityLocked(caller, intent, resolvedType,grantedUriPermissions, grantedMode, aInfo,
                    resultTo, resultWho, requestCode, -1, -1,
                    onlyIfNeeded, componentSpecified);


public abstract class ActivityManagerNative extends Binder implements IActivityManager
ActivityManagerService.java 1071p  (frameworks\base\services\java\com\android\server\am)
ActivityManagerService.main()
  //ActivityManagerService.java 7375p (frameworks\base\services\java\com\android\server\am)
  m.startRunning(null, null, null, null);
    //ActivityManagerService.java 7421p (frameworks\base\services\java\com\android\server\am)
    systemReady();

ActivityManagerService.java 3136p (frameworks\base\services\java\com\android\server\am)
  startActivity(IApplicationThread caller,Intent intent,...)
    int startActivityLocked(caller, intent,...)    //3184L 定义:2691L
      void startActivityLocked()       //3132L 定义:2445L
        resumeTopActivityLocked(null); //2562p 定义:2176L
        if(next=NULL)
        {
          intent.addCategory(Intent.CATEGORY_HOME);
          startActivityLocked(null, intent, null, null, 0, aInfo,null, null, 0, 0, 0, false, false);
        }
        else
        {
          startSpecificActivityLocked(next, true, false); //2439L 定义:1628L
            realStartActivityLocked() //1640L    定义:1524L
            //1651L 定义:1654L
            startProcessLocked(r.processName, r.info.applicationInfo, true, 0,"activity", r.intent.getComponent());
              //1717L 定义:1721L
              startProcessLocked(app, hostingType, hostingNameStr);
                //1768L  定义:Process.java 222L(frameworks\base\core\java\android\os)
                int pid = Process.start("android.app.ActivityThread",...)
                  startViaZygote(processClass, niceName, uid, gid, gids,debugFlags, zygoteArgs);
                    pid = zygoteSendArgsAndGetPid(argsForZygote);
                      sZygoteWriter.write(Integer.toString(args.size()));
        }

  runSelectLoopMode();
    done = peers.get(index).runOnce();
      forkAndSpecialize()   //Zygote.java (dalvik\libcore\dalvik\src\main\java\dalvik\system)
        Dalvik_dalvik_system_Zygote_forkAndSpecialize() //dalvik_system_Zygote.c (dalvik\vm\native)
          forkAndSpecializeCommon()     
            setSignalHandler()
          RETURN_INT(pid);

          
       ActivityThread main()
         ActivityThread attach() //ActivityThread.java 3870p (frameworks\base\core\java\android\app)    
           mgr.attachApplication(mAppThread)
           //ActivityManagerService.java 4677p (frameworks\base\services\java\com\android\server\am)
           attachApplication()
             //ActivityManagerService.java 4677p (frameworks\base\services\java\com\android\server\am)
             attachApplicationLocked()
               if (realStartActivityLocked(hr, app, true, true)) //ActivityManagerService.java 4609p (frameworks\base\services\java\com\android\server\am)
               realStartActivityLocked()
                 //ActivityManagerService.java (frameworks\base\services\java\com\android\server\am)
                 app.thread.scheduleLaunchActivity(new Intent(r.intent), r,r.info, r.icicle, results, newIntents, !andResume,isNextTransitionForward());
                 scheduleLaunchActivity()
                   queueOrSendMessage(H.LAUNCH_ACTIVITY, r);
                     ActivityThread.H.handleMessage()
                       handleLaunchActivity()    //ActivityThread.java (frameworks\base\core\java\android\app)
                         performLaunchActivity() //ActivityThread.java (frameworks\base\core\java\android\app)
                           activity = mInstrumentation.newActivity(cl, component.getClassName(), r.intent);

    
            
/////////////////////////////////////////////////      

init 守护进程:
//andriod init 函数启动过程分析:
在main循环中会重复调用
drain_action_queue();
restart_processes();
static void restart_processes()
{
    process_needs_restart = 0;
    service_for_each_flags(SVC_RESTARTING,
                           restart_service_if_needed);
}
通过循环检测服务列表service_list 中每个服务的 svc->flags 标记,如果为 SVC_RESTARTING,
那么在满足条件的情况下调用:restart_service_if_needed
通过 service_start 来再次启动该服务。

ActivityManagerService.main





I/SystemServer(   45): Starting Power Manager.
I/ServiceManager(   26): service 'SurfaceFlinger' died
D/Zygote  (   30): Process 45 terminated by signal (11)
I/Zygote  (   30): Exit zygote because system server (45) has terminated
通过错误信息发现程序在调用 SurfaceFlinger服务的时候被中止。
Service_manager.c (frameworks\base\cmds\servicemanager):
LOGI("service '%s' died\n", str8(si->name));
Binder.c (frameworks\base\cmds\servicemanager):
death->func(bs, death->ptr);


Binder.c (kernel\drivers\misc)中的函数
binder_thread_read()
struct binder_work *w;
switch (w->type)
为 BINDER_WORK_DEAD_BINDER 的时候
binder_parse()中
当 cmd 为 BR_DEAD_BINDER的时候
执行 death->func(bs, death->ptr)
因为函数
int do_add_service(struct binder_state *bs,
                   uint16_t *s, unsigned len,
                   void *ptr, unsigned uid)
的 si->death.func = svcinfo_death;
所以 death->func(bs, death->ptr) 实际上执行的是
svcinfo_death()//Service_manager.c (frameworks\base\cmds\servicemanager)
所以会打印出:service 'SurfaceFlinger' died
I/ServiceManager(   26): service 'SurfaceFlinger' died



Thread::run
  _threadLoop() // Threads.cpp (frameworks\base\libs\utils)
    status_t SurfaceFlinger::readyToRun()
      mBootAnimation = new BootAnimation(this);

资料:

Simple Guide for Porting Android Kernel
http://feixf1974.iteye.com/blog/187773


原文地址 http://blog.chinaunix.net/u1/49742/showart.php?id=1888280 
  相关解决方案