一、Android 启动全景图 1.1 从按下电源键到桌面显示 Android 的启动过程从硬件到用户界面,经历六个阶段:
1. Boot ROM (出厂固化代码) └── 加载 Bootloader 到内存 2. Bootloader (LK/ABL) ├── Verified Boot (AVB/dm-verity) ├── A/B Slot 选择 └── 加载 Linux Kernel 3. Linux Kernel ├── start_kernel() → rest_init() → kernel_init() └── 挂载根文件系统 → 执行 /init 4. Init Process ├── FirstStageMain → SetupSelinux → SecondStageMain ├── 解析 init.rc → 启动关键服务 └── 启动 Zygote 5. Zygote ├── AndroidRuntime::start() ├── 预加载类 + 资源 ├── fork SystemServer └── runSelectLoop (socket 监听) 6. SystemServer ├── 启动引导服务 (AMS/PMS/PowerManager) ├── 启动核心服务 (Battery/UsageStats) ├── 启动其他服务 (WMS/Input/StatusBar) └── systemReady → 启动 Launcher
1.2 AOSP 关键源码路径速查
阶段
AOSP 路径
Bootloader
bootable/bootloader/lk/ (Little Kernel)
Kernel
kernel/ / common/ (Android Common Kernel)
Init
system/core/init/
Init.rc
system/core/rootdir/init.rc
SELinux
system/core/init/selinux.cpp
Zygote
frameworks/base/core/jni/AndroidRuntime.cpp
Zygote (Java)
frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
SystemServer
frameworks/base/services/java/com/android/server/SystemServer.java
AMS
frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java
PMS
frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java
WMS
frameworks/base/services/core/java/com/android/server/wm/WindowManagerService.java
二、Boot ROM 与 Bootloader 2.1 Boot ROM Boot ROM 是芯片出厂时固化在 SoC 内部的代码,存储在掩膜 ROM 中,不可修改。它是系统上电后执行的第一条指令 。
Boot ROM 的职责 :
初始化最小硬件(CPU、时钟、看门狗)
从 eMMC/UFS 或 SD 卡加载 Bootloader 的第一阶段到内部 SRAM
验证 Bootloader 的签名(Secure Boot)
跳转到 Bootloader 入口
源码 :Boot ROM 代码由 SoC 厂商(Qualcomm、MediaTek、Samsung)编写,不公开。但 AOSP 中 bootable/bootloader/ 提供了参考实现。
2.2 Little Kernel (LK) / ABL Android 设备通常使用 Little Kernel (LK) 作为 Bootloader,在较新的设备中可能使用 **ABL (Android Bootloader)**。两者都是从 Qualcomm 的 LK 派生。
AOSP 源码路径 :bootable/bootloader/lk/
LK 的主要功能 :
LK 启动流程: ├── arch_init() # 架构相关初始化 ├── platform_init() # 平台相关初始化 ├── target_init() # 设备特定初始化 │ ├── 初始化 DDR 内存控制器 │ ├── 初始化 eMMC/UFS 控制器 │ └── 初始化显示(为 Recovery/充电画面做准备) ├── apps_init() │ ├── aboot_init() # Android Boot 初始化 │ │ ├── 读取 misc 分区(判断 Recovery 模式) │ │ ├── 读取 bootloader 消息 │ │ └── 加载 boot/recovery 分区 │ └── fastboot_init() # Fastboot 模式 └── 跳转到 Kernel
2.3 Verified Boot (AVB 2.0) Android Verified Boot (AVB) 是 Android 的安全启动链验证机制。
AOSP 源码路径 :external/avb/
验证链 :
HW Root of Trust (eFuse 中的公钥哈希) │ ├── 验证 Bootloader (vbmeta 分区签名) │ ├── 验证 boot 分区 (Kernel + ramdisk) │ │ ├── dm-verity: 验证 system 分区 │ │ ├── dm-verity: 验证 vendor 分区 │ │ └── dm-verity: 验证 product 分区 │ └── 验证其他分区 (odm, dtbo 等) │ └── 任意一环验证失败 → 设备进入受限模式 (黄色/红色警告)
vbmeta 结构 (external/avb/libavb/avb_vbmeta_image.h):
typedef struct AvbVBMetaImageHeader { uint8_t magic[4 ]; uint32_t required_libavb_version_major; uint32_t required_libavb_version_minor; uint64_t authentication_data_block_size; uint64_t auxiliary_data_block_size; uint32_t algorithm_type; uint8_t hash[64 ]; uint8_t signature[512 ]; uint8_t public_key[520 ]; } AVB_ATTR_PACKED AvbVBMetaImageHeader;
2.4 A/B Slot 选择 Android 7.0 引入的 A/B(Seamless)系统更新机制:
设备分区布局: ├── boot_a (活动) ├── boot_b (备用) ├── system_a (活动) ├── system_b (备用) ├── vendor_a (活动) ├── vendor_b (备用) └── misc (存储 slot 状态) 启动时选择逻辑: 1. 读取 misc 分区中的 slot-suffix 和 slot-retry-count 2. 如果 retry-count == 0 → 切换到另一个 slot(上次启动失败) 3. 选择 slot → 加载对应的 boot_{slot}.img 4. 启动成功后 → update_engine 标记 slot-successful
源码参考 :system/update_engine/ (A/B 更新引擎)
三、Linux Kernel 启动 3.1 start_kernel() 当 Bootloader 将内核镜像加载到内存并跳转到内核入口后,内核执行 start_kernel()。
AOSP 内核仓库 :https://android.googlesource.com/kernel/common/
asmlinkage __visible void __init __no_sanitize_address start_kernel (void ) { char *command_line; char *after_dashes; setup_arch(&command_line); parse_early_param(); mm_init(); sched_init(); init_IRQ(); init_timers(); console_init(); arch_call_rest_init(); }
3.2 rest_init() → kernel_init() noinline void __ref rest_init (void ) { pid = kernel_thread(kernel_init, NULL , CLONE_FS); pid = kernel_thread(kthreadd, NULL , CLONE_FS | CLONE_FILES); do_idle(); } static int __ref kernel_init (void *unused) { kernel_init_freeable(); if (ramdisk_execute_command) { ret = run_init_process(ramdisk_execute_command); } if (!try_to_run_init_process("/init" )) return 0 ; panic("No working init found. Try passing init= option to kernel." ); }
关键点 :kernel_init 首先尝试执行 ramdisk 中的 /init,这就是 Android 的 init 进程入口。
四、Init 进程 —— 用户空间的第一个进程 4.1 Android init 的整体流程 AOSP 源码路径 :system/core/init/
main() [system/core/init/main.cpp] ├── FirstStageMain() [first_stage_init.cpp] │ ├── 挂载基本文件系统 (/dev, /proc, /sys) │ ├── 加载内核模块 │ ├── 创建 /dev/kmsg (内核日志设备) │ └── 切换到第二阶段 init │ ├── SetupSelinux() [selinux.cpp] │ ├── 加载 SEPolicy (从 /vendor/etc/selinux 或 /system/etc/selinux) │ ├── 从内核读取安全上下文 │ └── 将 init 进程设置为 enforcing 模式 │ ├── SecondStageMain() [init.cpp] │ ├── 解析 /system/etc/init/hw/init.rc │ ├── 解析 /system/etc/init/*.rc │ ├── 解析 /vendor/etc/init/*.rc │ ├── 解析 /odm/etc/init/*.rc │ ├── 构建 Action 和 Service 的链表 │ ├── 触发 early-init │ ├── 启动 ueventd (冷插拔设备) │ └── 进入主循环 │ └── 主循环 (epoll) ├── 监听 property 变化 ├── 监听子进程退出 (SIGCHLD) ├── 执行 Action 的 command └── 重启崩溃的关键服务
4.2 FirstStageMain 详解 源码 :system/core/init/first_stage_init.cpp
int FirstStageMain (int argc, char ** argv) if (argc > 1 && strcmp (argv[1 ], "first_stage_console" ) == 0 ) { } umask (0 ); CHECKCALL (mount ("tmpfs" , "/dev" , "tmpfs" , MS_NOSUID, "mode=0755" )); CHECKCALL (mkdir ("/dev/pts" , 0755 )); CHECKCALL (mkdir ("/dev/socket" , 0755 )); CHECKCALL (mount ("devpts" , "/dev/pts" , "devpts" , 0 , NULL )); CHECKCALL (mount ("proc" , "/proc" , "proc" , 0 , NULL )); CHECKCALL (mount ("sysfs" , "/sys" , "sysfs" , 0 , NULL )); InitKernelLogging (argv); Modprobe::LoadListedModules (); const char * path = "/system/bin/init" ; const char * args[] = {path, "selinux_setup" , nullptr }; execv (path, const_cast <char **>(args)); return EXIT_FAILURE; }
4.3 SELinux 初始化 源码 :system/core/init/selinux.cpp
int SetupSelinux (char ** argv) InitKernelLogging (argv); if (mount ("selinuxfs" , "/sys/fs/selinux" , "selinuxfs" , 0 , 0 ) == -1 ) { } bool success = false ; if (IsSplitPolicyDevice ()) { success = LoadSplitPolicy (); } else { success = LoadMonolithicPolicy (); } bool is_enforcing = security_getenforce () == 1 ; if (cmdline == "androidboot.selinux=permissive" ) { is_enforcing = false ; } security_setenforce (is_enforcing); const char * path = "/system/bin/init" ; const char * args[] = {path, "second_stage" , nullptr }; execv (path, const_cast <char **>(args)); }
4.4 SecondStageMain 详解 源码 :system/core/init/init.cpp
int SecondStageMain (int argc, char ** argv) signal (SIGCHLD, ReapAnyOutstandingChildren); property_init (); process_kernel_dt (); process_kernel_cmdline (); SelinuxInitialize (); epoll_fd = epoll_create1 (EPOLL_CLOEXEC); ActionManager& am = ActionManager::GetInstance (); ServiceList& sm = ServiceList::GetInstance (); Parser parser = CreateParser (am, sm); parser.ParseConfig ("/system/etc/init/hw/init.rc" ); parser.ParseConfig ("/system/etc/init" ); parser.ParseConfig ("/vendor/etc/init" ); parser.ParseConfig ("/odm/etc/init" ); parser.ParseConfig ("/product/etc/init" ); am.QueueEventTrigger ("early-init" ); am.QueueEventTrigger ("init" ); while (true ) { if (!(waiting_for_exec || IsWaitingForProperty ())) { am.ExecuteOneCommand (); } RestartProcesses (); int timeout = -1 ; if (am.HasMoreCommands ()) timeout = 0 ; epoll_event ev; int nr = TEMP_FAILURE_RETRY (epoll_wait (epoll_fd, &ev, 1 , timeout)); if (nr == -1 ) continue ; } }
4.5 init.rc 语法与处理 源码路径 :system/core/rootdir/init.rc
# 全局配置 on early-init # 设置初始进程 OOM 调整值 write /proc/1/oom_score_adj -1000 # 挂载系统分区 mount_all /vendor/etc/fstab.${ro.hardware} --early on init # 设置环境变量 export ANDROID_ROOT /system export ANDROID_DATA /data # 创建关键目录 mkdir /data 0771 system system mkdir /data/app 0771 system system # late-init: 分阶段启动 on late-init trigger early-fs # 挂载文件系统 trigger fs # 完成文件系统挂载 trigger post-fs # 文件系统权限设置 trigger zygote-start # 启动 Zygote trigger early-boot # 早期启动 trigger boot # 核心启动(触发 class_start core) trigger nonencrypted # 非加密设备 # 服务定义 service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-system-server class main user root group root readproc reserved_disk socket zygote stream 660 root system # 创建 /dev/socket/zygote socket usap_pool_primary stream 660 root system onrestart restart audioserver onrestart restart cameraserver onrestart restart media onrestart restart netd writepid /dev/cpuset/foreground/tasks service servicemanager /system/bin/servicemanager class core animation user system group system readproc critical shutdown critical service surfaceflinger /system/bin/surfaceflinger class core animation user system group graphics drmrpc readproc onrestart restart zygote writepid /dev/cpuset/system-background/tasks
init.rc 的处理 (system/core/init/parser.cpp):
void Parser::ParseConfig (const std::string& path) }
五、Zygote —— Android 的进程孵化器 5.1 Zygote 启动流程 源码路径 :
Native 层:frameworks/base/core/jni/AndroidRuntime.cpp
Java 层:frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
app_process (zygote 的入口二进制文件) │ └── main() [frameworks/base/cmds/app_process/app_main.cpp] │ ├── AppRuntime 初始化 (继承 AndroidRuntime) ├── 解析参数: --zygote --start-system-server └── runtime.start("com.android.internal.os.ZygoteInit", args) │ └── AndroidRuntime::start() [AndroidRuntime.cpp] ├── 1. startVm() # 启动 ART 虚拟机 ├── 2. startReg() # 注册 JNI 方法 ├── 3. 找到 ZygoteInit.main() └── 4. 通过 JNI 调用 ZygoteInit.main() │ └── ZygoteInit.main() [ZygoteInit.java] ├── preloadClasses() # 预加载 4500+ 类 ├── preloadResources() # 预加载主题和资源 ├── preloadSharedLibraries() ├── registerZygoteSocket() # 注册 socket ├── forkSystemServer() # fork SystemServer └── runSelectLoop() # 等待 fork 请求
5.2 app_process 的 main 函数 源码 :frameworks/base/cmds/app_process/app_main.cpp
int main (int argc, char * const argv[]) AppRuntime runtime (argv[0 ], computeArgBlockSize(argc, argv)) ; bool zygote = false ; bool startSystemServer = false ; while (i < argc) { if (strcmp (argv[i], "--zygote" ) == 0 ) { zygote = true ; niceName = ZYGOTE_NICE_NAME; } else if (strcmp (argv[i], "--start-system-server" ) == 0 ) { startSystemServer = true ; } } if (zygote) { runtime.start ("com.android.internal.os.ZygoteInit" , args, zygote); } else { runtime.start ("com.android.internal.os.RuntimeInit" , args, zygote); } }
5.3 AndroidRuntime::start() —— ART 启动 源码 :frameworks/base/core/jni/AndroidRuntime.cpp
void AndroidRuntime::start (const char * className, const Vector<String8>& options, bool zygote) set_process_name (niceName); JniInvocation jni_invocation; jni_invocation.Init (NULL ); JNIEnv* env; if (startVm (&mJavaVM, &env, zygote, primary_zygote) != 0 ) { return ; } onVmCreated (env); if (startReg (env) < 0 ) { ALOGE ("Unable to register all android natives\n" ); return ; } jclass stringClass = env->FindClass ("java/lang/String" ); jobjectArray strArray = env->NewObjectArray (options.size () + 1 , stringClass, NULL ); jstring classNameStr = env->NewStringUTF (className); env->SetObjectArrayElement (strArray, 0 , classNameStr); for (size_t i = 0 ; i < options.size (); ++i) { jstring optionStr = env->NewStringUTF (options.itemAt (i).string ()); env->SetObjectArrayElement (strArray, i + 1 , optionStr); } char * slashClassName = toSlashClassName (className); jclass startClass = env->FindClass (slashClassName); jmethodID startMeth = env->GetStaticMethodID (startClass, "main" , "([Ljava/lang/String;)V" ); env->CallStaticVoidMethod (startClass, startMeth, strArray); }
5.4 预加载 —— Zygote 的核心价值 源码 :frameworks/base/core/java/com/android/internal/os/ZygoteInit.java
public class ZygoteInit { public static void main (String[] argv) { ZygoteServer zygoteServer = null ; try { Process.setThreadPriority(Process.THREAD_PRIORITY_DEFAULT); preloadClasses(); preloadResources(); nativePreloadAppProcessHALs(); maybePreloadHeavyResources(); zygoteServer = new ZygoteServer (); zygoteServer.registerZygoteSocket(); warmUpJcaProviders(); Runnable systemServerRunnable = () -> { handleSystemServerProcess(parsedArgs); }; boolean startSystemServer = argv.contains("--start-system-server" ); if (startSystemServer) { pid = zygoteServer.forkSystemServer( systemServerArgs, ...); } zygoteServer.runSelectLoop(); } catch (Throwable ex) { Log.e(TAG, "System zygote died with fatal error" , ex); throw ex; } finally { if (zygoteServer != null ) { zygoteServer.closeServerSocket(); } } } }
预加载机制的意义 :
当 Zygote fork 子进程时,子进程继承了 Zygote 的地址空间(写时复制, Copy-on-Write),因此:
所有预加载的类已经存在于内存中,子进程无需再次加载
所有预加载的资源已经就位
应用启动时间显著减少(典型减少 1-2 秒)
预加载的类列表 :frameworks/base/config/preloaded-classes,包含 ~4500 个核心类。
5.5 runSelectLoop —— Socket 监听 Runnable runSelectLoop () { ArrayList<FileDescriptor> socketFDs = new ArrayList <>(); ArrayList<ZygoteConnection> peers = new ArrayList <>(); socketFDs.add(zygoteSocket.getFileDescriptor()); peers.add(null ); while (true ) { pollUSAP(); Os.poll(pollFDs, -1 ); for (int i = 1 ; i < pollFDs.length; i++) { if (pollFDs[i].revents & POLLIN) { ZygoteConnection connection = peers.get(i); Runnable command = connection.processCommand(this , ...); if (command != null ) { return command; } } } if (socketFDs.get(0 ).revents & POLLIN) { ZygoteConnection newPeer = zygoteSocket.acceptCommandPeer(); peers.add(newPeer); socketFDs.add(newPeer.getFileDescriptor()); } } }
5.6 forkSystemServer —— fork 系统服务进程 static int forkSystemServer (int uid, int gid, int [] gids, int runtimeFlags, int [][] rlimits, long permittedCapabilities, long effectiveCapabilities) { int pid = nativeForkSystemServer( uid, gid, gids, runtimeFlags, rlimits, permittedCapabilities, effectiveCapabilities); if (pid == 0 ) { Process.setArgV0("system_server" ); } return pid; }
Native fork 实现 (frameworks/base/core/jni/com_android_internal_os_Zygote.cpp):
static pid_t ForkCommon (JNIEnv* env, bool is_system_server, const std::vector<int >& fds_to_close, const std::vector<int >& fds_to_ignore) SetSignalHandlers (); pid_t pid = fork(); if (pid == 0 ) { DetachDescriptors (env, fds_to_close); } else { } return pid; }
六、SystemServer —— Android 服务的大本营 6.1 SystemServer.main() 源码 :frameworks/base/services/java/com/android/server/SystemServer.java
public final class SystemServer { public static void main (String[] args) { new SystemServer ().run(); } private void run () { Looper.prepareMainLooper(); android.os.Process.setThreadPriority( android.os.Process.THREAD_PRIORITY_FOREGROUND); createSystemContext(); mSystemServiceManager = new SystemServiceManager (mSystemContext); LocalServices.addService(SystemServiceManager.class, mSystemServiceManager); try { t.traceBegin("StartServices" ); startBootstrapServices(t); startCoreServices(t); startOtherServices(t); } catch (Throwable ex) { throw ex; } finally { t.traceEnd(); } Looper.loop(); throw new RuntimeException ("Main thread loop unexpectedly exited" ); } }
6.2 startBootstrapServices() —— 引导服务 引导服务是系统运行的基础,它们之间没有严格的依赖顺序 ,但都需要在其他服务启动之前就绪:
private void startBootstrapServices (@NonNull TimingsTraceAndSlog t) { t.traceBegin("StartInstaller" ); Installer installer = mSystemServiceManager.startService(Installer.class); t.traceEnd(); t.traceBegin("StartActivityManager" ); mActivityManagerService = mSystemServiceManager.startService( ActivityManagerService.Lifecycle.class).getService(); mActivityManagerService.setSystemServiceManager(mSystemServiceManager); mActivityManagerService.setInstaller(installer); t.traceEnd(); mPowerManagerService = mSystemServiceManager.startService( PowerManagerService.class); mDisplayManagerService = mSystemServiceManager.startService( DisplayManagerService.class); try { mPackageManagerService = PackageManagerService.main( mSystemContext, installer, ...); } catch (Exception e) { } mSystemServiceManager.startService(UserManagerService.class); }
6.3 startCoreServices() —— 核心服务 private void startCoreServices (@NonNull TimingsTraceAndSlog t) { mSystemServiceManager.startService(BatteryService.class); mSystemServiceManager.startService(UsageStatsService.class); mSystemServiceManager.startService(WebViewUpdateService.class); mSystemServiceManager.startService(BinderCallsStatsService.class); }
6.4 startOtherServices() —— 系统服务的主战场 这是 SystemServer 中最长的函数(约 1000+ 行),按阶段启动 80+ 个服务:
private void startOtherServices (@NonNull TimingsTraceAndSlog t) { wm = WindowManagerService.main(context, inputManager, ...); ServiceManager.addService(Context.WINDOW_SERVICE, wm, ...); inputManager.setWindowManagerCallbacks(wm.getInputManagerCallback()); inputManager = new InputManagerService (context); mActivityManagerService.setWindowManager(wm); mActivityManagerService.systemReady(() -> { }); statusBar = new StatusBarManagerService (context); networkManagement = NetworkManagementService.create(context); connectivity = new ConnectivityService (context, networkManagement, ...); notification = new NotificationManagerService (context); location = new LocationManagerService (context); audioService = new AudioService (context); bluetooth = new BluetoothService (context); telephony = new TelephonyManagerService (context); mActivityManagerService.systemReady(() -> { }); }
6.5 AMS.systemReady() —— 启动桌面 public void systemReady (final Runnable goingCallback, TimingsTraceAndSlog t) { if (goingCallback != null ) goingCallback.run(); startHomeActivityLocked(mCurrentUserId, "systemReady" ); mStackSupervisor.resumeFocusedStackTopActivityLocked(); } boolean startHomeActivityLocked (int userId, String reason) { Intent intent = getHomeIntent(); ActivityInfo aInfo = resolveActivityInfo(intent, ...); mActivityStartController.startHomeActivity(intent, aInfo, myReason); }
Launcher 的 Intent 解析过程 :
Intent getHomeIntent () { Intent intent = new Intent (Intent.ACTION_MAIN); intent.addCategory(Intent.CATEGORY_HOME); return intent; }
七、关键服务启动时序图 时间轴 ──────────────────────────────────────────────> Boot ROM (0ms) │ Bootloader (~100ms) │ Kernel (~500ms) │ Init (~200ms) ├── ueventd 启动 (冷插拔设备节点) ├── ServiceManager 启动 (Binder 服务注册中心) ├── hwservicemanager 启动 (HIDL 服务注册中心) ├── vold 启动 (Volume Daemon, 挂载存储) ├── SurfaceFlinger 启动 (合成+显示) │ Zygote (~800ms) ← 预加载 4500+ 类 │ SystemServer (~3000ms) ├── AMS 启动 ├── PMS 启动 (扫描已安装应用, ~2000ms) ├── WMS 启动 ├── InputManagerService 启动 ├── StatusBarManagerService 启动 │ ... └── AMS.systemReady() │ Launcher 显示 (~4000ms) ← 用户看到桌面 │ Boot Complete 广播 (~4500ms) │ 用户可操作 (~5000ms)
八、启动性能分析 8.1 关键性能指标
阶段
典型耗时
可优化点
Bootloader
100-500ms
跳过不必要的硬件初始化
Kernel
300-800ms
精简内核配置,延迟加载模块
Init
100-300ms
延迟非关键 rc 脚本
Zygote 预加载
600-1200ms
减少预加载类数量,升级 ART
PMS 扫描
1000-3000ms
使用 PackageCache,并行扫描
SystemServer
1500-3000ms
延迟非关键服务启动
8.2 bootchart 分析工具 adb shell 'touch /data/bootchart/enabled' adb reboot adb root adb shell 'cd /data/bootchart && tar -czf /sdcard/bootchart.tgz *' adb pull /sdcard/bootchart.tgz bootchart bootchart.tgz
8.3 systrace 分析 python systrace.py --time =15 -o boot_trace.html \ am wm view res dalvik sched freq idle disk load adb shell perfetto \ -c - --txt \ -o /data/misc/perfetto-traces/trace \ <<EOF buffers: { size_kb: 63488 } data_sources: { config { name: "linux.ftrace" ftrace_config { ftrace_events: "sched/sched_switch" ftrace_events: "power/suspend_resume" ftrace_events: "sched/sched_wakeup" ftrace_events: "sched/sched_process_free" ftrace_events: "task/task_newtask" ftrace_events: "task/task_rename" atrace_categories: "am" atrace_categories: "pm" atrace_categories: "wm" atrace_categories: "view" } } } duration_ms: 15000 EOF
九、ServiceManager 与 Binder 服务注册 9.1 ServiceManager —— 服务的黄页 ServiceManager 是 Android 中第一个启动的 Native 进程(由 init.rc 中的 class core 触发)。它是 Binder IPC 的”注册中心”,所有系统服务通过它注册和查找。
源码路径 :frameworks/native/cmds/servicemanager/
int main (int argc, char ** argv) sp<ServiceManager> manager = sp<ServiceManager>::make (); if (binder_become_context_manager (manager) != OK) { LOG (FATAL) << "failed to become context manager" ; } IPCThreadState::self ()->joinThreadPool (); }
服务注册流程 :
public void setSystemProcess () { ServiceManager.addService(Context.ACTIVITY_SERVICE, this , false , DUMP_FLAG_PRIORITY_CRITICAL); ServiceManager.addService("activity" , this , ...); ServiceManager.addService("activity_manager" , this , ...); }
服务查找流程(Client 端) :
IBinder b = ServiceManager.getService("activity" );IActivityManager am = IActivityManager.Stub.asInterface(b);
9.2 Binder 驱动初始化 Binder 驱动在 Kernel 启动时加载(/dev/binder),它是 Android 进程间通信的基础设施:
Binder 节点 :每个 Binder 服务对应一个内核中的 binder_node 对象Binder 引用 :客户端持有服务的 binder_ref 引用线程池 :每个进程可以启动多个 Binder 线程处理并发请求死亡通知 :通过 linkToDeath() 监听服务端进程崩溃
Binder 的一次通信 :
Client Process Kernel Server Process │ │ │ ├─ transact() │ │ │ └─ ioctl(BINDER_WRITE) │ │ │ ├─ copy_from_user() │ │ │ └─ 调度 Server 线程 │ │ │ ├─ wake up Server thread │ │ │ ├─ onTransact() │ │ │ └─ 执行业务逻辑 │ │ write reply data │ │ ├─ wake Client thread │ │ return result │ │
十、SurfaceFlinger 启动与显示就绪 10.1 SurfaceFlinger 的启动时机 SurfaceFlinger 由 init.rc 在 class core 阶段启动:
service surfaceflinger /system/bin/surfaceflinger class core animation user system group graphics drmrpc readproc onrestart restart zygote
为什么 SurfaceFlinger 要在 Zygote 之前启动?
因为 Zygote fork SystemServer 后,SystemServer 中的 WMS(WindowManagerService)和 AMS(ActivityManagerService)需要与 SurfaceFlinger 通信来创建窗口和渲染 UI。如果 SurfaceFlinger 未就绪,这些服务将阻塞。
10.2 SurfaceFlinger 的初始化 源码路径 :frameworks/native/services/surfaceflinger/
int main (int , char **) setpriority (PRIO_PROCESS, 0 , PRIORITY_URGENT_DISPLAY); sp<ProcessState> ps (ProcessState::self()) ; ps->startThreadPool (); sp<SurfaceFlinger> flinger = surfaceflinger::createSurfaceFlinger (); flinger->init (); sp<IServiceManager> sm (defaultServiceManager()) ; sm->addService (String16 (SurfaceFlinger::getServiceName ()), flinger, ...); flinger->run (); }
10.3 BootAnimation —— 启动动画 在 SystemServer 启动期间,用户看到的是启动动画。BootAnimation 由 init.rc 启动:
service bootanim /system/bin/bootanimation class animation user graphics group graphics audio disabled # 默认不启动,由 SurfaceFlinger 触发 oneshot
启动动画生命周期 :
SurfaceFlinger 就绪后,发送 bootanim 属性变化通知
BootAnimation 开始播放(/system/media/bootanimation.zip)
AMS.systemReady() 后 → WMS 调用 SurfaceFlinger.stopBootAnim() → 动画停止
用户看到桌面
十一、PackageManagerService 扫描过程 11.1 PMS.scanDirTracedLI() PMS 的启动中最耗时的一步是扫描已安装应用:
private void scanDirTracedLI (File scanDir, int scanFlags, int packageParserCacheMaxSize) { File[] files = scanDir.listFiles(); for (File file : files) { } }
PMS 扫描优化(Android 10+) :
并行扫描 :多个分区可并行扫描PackageCache :缓存上次扫描结果(/data/system/package_cache/)增量扫描 :对比时间戳,只重新扫描有变化的 APK
十二、总结 Android 启动过程是一个精密的八步流水线:
Boot ROM :SoC 固化的启动代码,加载 Bootloader**Bootloader (LK/ABL)**:Verified Boot 验证,A/B slot 选择,加载 Kernel
Kernel :start_kernel() → rest_init() → kernel_init() → /initInit First Stage :挂载基础文件系统,加载内核模块,初始化 SELinuxInit Second Stage :解析 init.rc,触发 early-init → init → late-init,启动 ZygoteZygote :启动 ART,预加载 4500+ 类,fork SystemServer,socket 监听 fork 请求SystemServer :启动 AMS/PMS/WMS 等 80+ 系统服务Launcher :AMS.systemReady() → startHomeActivityLocked → 用户看到桌面
理解启动过程的意义不仅在于系统级调试和性能优化,更在于理解 Android 作为 Linux 衍生系统的设计哲学:通过 Zygote 的 Copy-on-Write 和预加载机制,将应用启动时间从秒级减少到百毫秒级 。
参考资源
