android8-0-0源码分析-app启动2

前言

继续上篇的app启动，本篇将从zygote接受到消息跟到activity启动。
下一篇将着重分析应用进程加载代码与资源的过程，并分析实现应用壳的加载方案。

ActivityStarter是Android 7.0新加入的类，它是加载Activity的控制类，会收集所有的逻辑来决定如何将Intent和Flags转换为Activity，并将Activity和Task以及Stack相关联。

参考文：
http://duanqz.github.io/2016-10-23-Activity-LaunchProcess-Part2#%E6%A6%82%E8%A7%88
gityuan

时序图

分析

1-zygoteServer.runSelectLoop

这里进入zygote进程
zygoteServer.runSelectLoop
位于frameworks\base\core\java\com\android\internal\os\ZygoteServer.java

/**
 * Runs the zygote process's select loop. Accepts new connections as
 * they happen, and reads commands from connections one spawn-request's
 * worth at a time.
 *
 * @throws Zygote.MethodAndArgsCaller in a child process when a main()
 * should be executed.
 */
void runSelectLoop(String abiList) throws Zygote.MethodAndArgsCaller {
    ArrayList<FileDescriptor> fds = new ArrayList<FileDescriptor>();
    ArrayList<ZygoteConnection> peers = new ArrayList<ZygoteConnection>();
	//0号为ServerSocket
    fds.add(mServerSocket.getFileDescriptor());
    peers.add(null);
	//开始fds与peers有东西，fds存的是socket连接字段的文件描述符，peers存ZygoteConnection对象本身其含socket
    while (true) {
        StructPollfd[] pollFds = new StructPollfd[fds.size()];
        for (int i = 0; i < pollFds.length; ++i) {
            pollFds[i] = new StructPollfd();
            pollFds[i].fd = fds.get(i);
            pollFds[i].events = (short) POLLIN;
        }
        try {
            Os.poll(pollFds, -1);  //对socket列表进行poll，0号是serversocket。阻塞在这里
        } catch (ErrnoException ex) {
            throw new RuntimeException("poll failed", ex);
        }
        for (int i = pollFds.length - 1; i >= 0; --i) {
			//采用I/O多路复用机制，当接收到客户端发出连接请求 或者数据处理请求到来，则往下执行；
            // 否则进入continue，跳出本次循环。
            if ((pollFds[i].revents & POLLIN) == 0) {
                continue;
            }
            if (i == 0) {
				//如果i==0则说明serversocket有消息，也就是获得了新的连接，将其存入fds与peers
                ZygoteConnection newPeer = acceptCommandPeer(abiList);
                peers.add(newPeer);
                fds.add(newPeer.getFileDesciptor());
            } else {
				//非0表示非ServerSocket有消息，取出ZygoteConnection对象，通过该对象可以获得消息并处理
                boolean done = peers.get(i).runOnce(this);//将当前的连接事件取出来执行
                if (done) {
                    peers.remove(i);
                    fds.remove(i);
                }
            }
        }
    }
}

此时Zygote作为服务端不断监听来自AMS的请求。注释详尽……有点javaNIO服务器的常见用法的感觉…..不过runOnce执行一次就把连接丢掉了。
没有连接请求时会进入休眠状态，当有创建新进程的连接请求时，唤醒Zygote进程，创建Socket通道ZygoteConnection，然后执行ZygoteConnection的runOnce()方法。

4-ZygoteConnection.runOnce

frameworks\base\core\java\com\android\internal\os\ZygoteConnection.java

 /**
  * Reads one start command from the command socket. If successful,
  * a child is forked and a {@link Zygote.MethodAndArgsCaller}
  * exception is thrown in that child while in the parent process,
  * the method returns normally. On failure, the child is not
  * spawned and messages are printed to the log and stderr. Returns
  * a boolean status value indicating whether an end-of-file on the command
  * socket has been encountered.
  *
  * @return false if command socket should continue to be read from, or
  * true if an end-of-file has been encountered.
  * @throws Zygote.MethodAndArgsCaller trampoline to invoke main()
  * method in child process
  */
 boolean runOnce(ZygoteServer zygoteServer) throws Zygote.MethodAndArgsCaller {

     String args[];
     Arguments parsedArgs = null;
     FileDescriptor[] descriptors;

     try {
         args = readArgumentList();  //获取刚刚发送的参数字串数组 用的是BufferedReader mSocketReader读的
         descriptors = mSocket.getAncillaryFileDescriptors();
     } catch (IOException ex) {
         Log.w(TAG, "IOException on command socket " + ex.getMessage());
         closeSocket();
         return true;
     }


     /** the stderr of the most recent request, if avail */
     PrintStream newStderr = null;

     if (descriptors != null && descriptors.length >= 3) {
         newStderr = new PrintStream(
                 new FileOutputStream(descriptors[2]));
     }

     int pid = -1;
     FileDescriptor childPipeFd = null;
     FileDescriptor serverPipeFd = null;

     try {
//封装参数
         parsedArgs = new Arguments(args);

         if (parsedArgs.abiListQuery) {
             return handleAbiListQuery();
         }

         if (parsedArgs.preloadDefault) {
             return handlePreload();
         }

         if (parsedArgs.preloadPackage != null) {
             return handlePreloadPackage(parsedArgs.preloadPackage,
                     parsedArgs.preloadPackageLibs, parsedArgs.preloadPackageCacheKey);
         }

         if (parsedArgs.permittedCapabilities != 0 || parsedArgs.effectiveCapabilities != 0) {
             throw new ZygoteSecurityException("Client may not specify capabilities: " +
                     "permitted=0x" + Long.toHexString(parsedArgs.permittedCapabilities) +
                     ", effective=0x" + Long.toHexString(parsedArgs.effectiveCapabilities));
         }

         applyUidSecurityPolicy(parsedArgs, peer);
         applyInvokeWithSecurityPolicy(parsedArgs, peer);

         applyDebuggerSystemProperty(parsedArgs);
         applyInvokeWithSystemProperty(parsedArgs);

         int[][] rlimits = null;

         if (parsedArgs.rlimits != null) {
             rlimits = parsedArgs.rlimits.toArray(intArray2d);
         }

         int[] fdsToIgnore = null;

         if (parsedArgs.invokeWith != null) {
             FileDescriptor[] pipeFds = Os.pipe2(O_CLOEXEC);
             childPipeFd = pipeFds[1];
             serverPipeFd = pipeFds[0];
             Os.fcntlInt(childPipeFd, F_SETFD, 0);
             fdsToIgnore = new int[] { childPipeFd.getInt$(), serverPipeFd.getInt$() };
         }

         /**
          * In order to avoid leaking descriptors to the Zygote child,
          * the native code must close the two Zygote socket descriptors
          * in the child process before it switches from Zygote-root to
          * the UID and privileges of the application being launched.
          *
          * In order to avoid "bad file descriptor" errors when the
          * two LocalSocket objects are closed, the Posix file
          * descriptors are released via a dup2() call which closes
          * the socket and substitutes an open descriptor to /dev/null.
          */

         int [] fdsToClose = { -1, -1 };

         FileDescriptor fd = mSocket.getFileDescriptor();

         if (fd != null) {
             fdsToClose[0] = fd.getInt$();
         }

         fd = zygoteServer.getServerSocketFileDescriptor();

         if (fd != null) {
             fdsToClose[1] = fd.getInt$();
         }

         fd = null;

//创建新进程
         pid = Zygote.forkAndSpecialize(parsedArgs.uid, parsedArgs.gid, parsedArgs.gids,
                 parsedArgs.debugFlags, rlimits, parsedArgs.mountExternal, parsedArgs.seInfo,
                 parsedArgs.niceName, fdsToClose, fdsToIgnore, parsedArgs.instructionSet,
                 parsedArgs.appDataDir);
     } catch (ErrnoException ex) {
         logAndPrintError(newStderr, "Exception creating pipe", ex);
     } catch (IllegalArgumentException ex) {
         logAndPrintError(newStderr, "Invalid zygote arguments", ex);
     } catch (ZygoteSecurityException ex) {
         logAndPrintError(newStderr,
                 "Zygote security policy prevents request: ", ex);
     }

     try {
         if (pid == 0) {  //pid=0表示子进程
             // in child
             zygoteServer.closeServerSocket();
             IoUtils.closeQuietly(serverPipeFd);
             serverPipeFd = null;
             handleChildProc(parsedArgs, descriptors, childPipeFd, newStderr);

             // should never get here, the child is expected to either
             // throw Zygote.MethodAndArgsCaller or exec().
             return true;
         } else {//父进程
             // in parent...pid of < 0 means failure
             IoUtils.closeQuietly(childPipeFd);
             childPipeFd = null;
             return handleParentProc(pid, descriptors, serverPipeFd, parsedArgs);
         }
     } finally {
         IoUtils.closeQuietly(childPipeFd);
         IoUtils.closeQuietly(serverPipeFd);
     }
 }

forkAndSpecialize底层调用fork创建进程。
为子：zygoteServer关闭，调用handleChildProc
父：handleParentProc通过socket将pid返回
安全措施主要靠uid判断的

forkAndSpecialize内主要有：初始化gc堆的工作, 将线程转换为long型并保存到token， fork()，设置group、limit、uid。设置信号处理函数

Arguments参数：

--setuid=
--setgid=
--target-sdk-version=
--enable-debugger
--enable-safemode
--enable-checkjni
--enable-jit
--generate-debug-info
--enable-jni-logging
--enable-assert
--runtime-args
--seinfo=
--capabilities=
--rlimit=
--setgroups=
--invoke-with
--nice-name=
--mount-external-default
--mount-external-read
--mount-external-write
--query-abi-list
--instruction-set=
--app-data-dir=

5-handleChildProc

 /**
  * Handles post-fork setup of child proc, closing sockets as appropriate,
  * reopen stdio as appropriate, and ultimately throwing MethodAndArgsCaller
  * if successful or returning if failed.
  *
  * @param parsedArgs non-null; zygote args
  * @param descriptors null-ok; new file descriptors for stdio if available.
  * @param pipeFd null-ok; pipe for communication back to Zygote.
  * @param newStderr null-ok; stream to use for stderr until stdio
  * is reopened.
  *
  * @throws Zygote.MethodAndArgsCaller on success to
  * trampoline to code that invokes static main.
  */
 private void handleChildProc(Arguments parsedArgs,
         FileDescriptor[] descriptors, FileDescriptor pipeFd, PrintStream newStderr)
         throws Zygote.MethodAndArgsCaller {
     /**
      * By the time we get here, the native code has closed the two actual Zygote
      * socket connections, and substituted /dev/null in their place.  The LocalSocket
      * objects still need to be closed properly.
      */

     closeSocket();
     if (descriptors != null) {
         try {
             Os.dup2(descriptors[0], STDIN_FILENO);
             Os.dup2(descriptors[1], STDOUT_FILENO);
             Os.dup2(descriptors[2], STDERR_FILENO);

             for (FileDescriptor fd: descriptors) {
                 IoUtils.closeQuietly(fd);
             }
             newStderr = System.err;
         } catch (ErrnoException ex) {
             Log.e(TAG, "Error reopening stdio", ex);
         }
     }

     if (parsedArgs.niceName != null) {
//设置进程名
         Process.setArgV0(parsedArgs.niceName);
     }

     // End of the postFork event.
     Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
     if (parsedArgs.invokeWith != null) {
         WrapperInit.execApplication(parsedArgs.invokeWith,
                 parsedArgs.niceName, parsedArgs.targetSdkVersion,
                 VMRuntime.getCurrentInstructionSet(),
                 pipeFd, parsedArgs.remainingArgs);
     } else {
//通过这里启动
         ZygoteInit.zygoteInit(parsedArgs.targetSdkVersion,
                 parsedArgs.remainingArgs, null /* classLoader */);
     }
 }

关闭连接，之后根据parsedArgs.invokeWith的判断决定用什么执行。
有一篇参考：https://blog.csdn.net/Roland_Sun/article/details/45870677

区别先理解为快速启动和通过系统命令app_process启动，需要时再来分析

6-ZygoteInit.zygoteInit

ZygoteInit.zygoteInit
frameworks\base\core\java\com\android\internal\os\ZygoteInit.java

  /**
   * The main function called when started through the zygote process. This
   * could be unified with main(), if the native code in nativeFinishInit()
   * were rationalized with Zygote startup.<p>
   *
   * Current recognized args:
   * <ul>
   *   <li> <code> [--] &lt;start class name&gt;  &lt;args&gt;
   * </ul>
   *
   * @param targetSdkVersion target SDK version
   * @param argv arg strings
   */
  public static final void zygoteInit(int targetSdkVersion, String[] argv,
          ClassLoader classLoader) throws Zygote.MethodAndArgsCaller {
      if (RuntimeInit.DEBUG) {
          Slog.d(RuntimeInit.TAG, "RuntimeInit: Starting application from zygote");
      }

      Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "ZygoteInit");
      RuntimeInit.redirectLogStreams();

      RuntimeInit.commonInit();//通用初始化
//进程初始化
      ZygoteInit.nativeZygoteInit();
      RuntimeInit.applicationInit(targetSdkVersion, argv, classLoader);
  }

commonInit：设置默认的未捕捉异常处理方法、设置时区、重置log配置、设置默认的HTTP User-agent格式,用于 HttpURLConnection、设置socket的tag，用于网络流量统计。
nativeZygoteInit：打开/dev/binder驱动设备、启动Binder线程进入service循环，因此每个进程都有Binder通信机制。

7-RuntimeInit.applicationInit

frameworks\base\core\java\com\android\internal\os\RuntimeInit.java

 protected static void applicationInit(int targetSdkVersion, String[] argv, ClassLoader classLoader)
         throws Zygote.MethodAndArgsCaller {
     // If the application calls System.exit(), terminate the process
     // immediately without running any shutdown hooks.  It is not possible to
     // shutdown an Android application gracefully.  Among other things, the
     // Android runtime shutdown hooks close the Binder driver, which can cause
     // leftover running threads to crash before the process actually exits.
//true代表应用程序退出时不调用AppRuntime.onExit()，否则会在退出前调用
     nativeSetExitWithoutCleanup(true);

     // We want to be fairly aggressive about heap utilization, to avoid
     // holding on to a lot of memory that isn't needed.
//设置虚拟机的内存利用率参数值为0.75
     VMRuntime.getRuntime().setTargetHeapUtilization(0.75f);
     VMRuntime.getRuntime().setTargetSdkVersion(targetSdkVersion);

     final Arguments args;
     try {
         args = new Arguments(argv);
     } catch (IllegalArgumentException ex) {
         Slog.e(TAG, ex.getMessage());
         // let the process exit
         return;
     }

     // The end of of the RuntimeInit event (see #zygoteInit).
     Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);

     // Remaining arguments are passed to the start class's static main
     invokeStaticMain(args.startClass, args.startArgs, classLoader);
 }

	
	
	
 /**
  * Invokes a static "main(argv[]) method on class "className".
  * Converts various failing exceptions into RuntimeExceptions, with
  * the assumption that they will then cause the VM instance to exit.
  *
  * @param className Fully-qualified class name
  * @param argv Argument vector for main()
  * @param classLoader the classLoader to load {@className} with
  */
 private static void invokeStaticMain(String className, String[] argv, ClassLoader classLoader)
         throws Zygote.MethodAndArgsCaller {
     Class<?> cl;

     try {
         cl = Class.forName(className, true, classLoader);
     } catch (ClassNotFoundException ex) {
         throw new RuntimeException(
                 "Missing class when invoking static main " + className,
                 ex);
     }

     Method m;
     try {
         m = cl.getMethod("main", new Class[] { String[].class });
     } catch (NoSuchMethodException ex) {
         throw new RuntimeException(
                 "Missing static main on " + className, ex);
     } catch (SecurityException ex) {
         throw new RuntimeException(
                 "Problem getting static main on " + className, ex);
     }

     int modifiers = m.getModifiers();  //此时还在java层，这里是反射
     if (! (Modifier.isStatic(modifiers) && Modifier.isPublic(modifiers))) {
         throw new RuntimeException(
                 "Main method is not public and static on " + className);
     }

     /*
      * This throw gets caught in ZygoteInit.main(), which responds
      * by invoking the exception's run() method. This arrangement
      * clears up all the stack frames that were required in setting
      * up the process.
      */
     throw new Zygote.MethodAndArgsCaller(m, argv);
 }

最终抛出Zygote.MethodAndArgsCaller(m, argv)

frameworks\base\core\java\com\android\internal\os\Zygote.java

/**
 * Helper exception class which holds a method and arguments and
 * can call them. This is used as part of a trampoline to get rid of
 * the initial process setup stack frames.
 */
public static class MethodAndArgsCaller extends Exception
        implements Runnable {
    /** method to call */
    private final Method mMethod;

    /** argument array */
    private final String[] mArgs;

    public MethodAndArgsCaller(Method method, String[] args) {
        mMethod = method;
        mArgs = args;
    }

    public void run() {
        try {
            mMethod.invoke(null, new Object[] { mArgs });
        } catch (IllegalAccessException ex) {
            throw new RuntimeException(ex);
        } catch (InvocationTargetException ex) {
            Throwable cause = ex.getCause();
            if (cause instanceof RuntimeException) {
                throw (RuntimeException) cause;
            } else if (cause instanceof Error) {
                throw (Error) cause;
            }
            throw new RuntimeException(ex);
        }
    }
}

MethodAndArgsCaller继承Exception类并实现Runnable接口，这里是个有意思的地方，最终这个MethodAndArgsCaller异常会被ZygoteInit的main函数捕获。
java中的函数抛出异常没有被当前函数捕获，当前函数的执行将异常退出，退出该栈。并将这个异常向上传递直到被捕获。

捕获点：
frameworks\base\core\java\com\android\internal\os\ZygoteInit.java

   public static void main(String argv[]) {

.....
       
           zygoteServer.runSelectLoop(abiList);  //进入选择循环

           zygoteServer.closeServerSocket();
       } catch (Zygote.MethodAndArgsCaller caller) {
           caller.run();//执行
       } catch (Throwable ex) {
           Log.e(TAG, "System zygote died with exception", ex);
           zygoteServer.closeServerSocket();
           throw ex;
       }
   }

可见在ZygoteInit的main捕获并执行run
这样做的原因是为了保证一个干净的虚拟机栈。该栈最后只剩执行到尾部的ZygoteInit.main之后即可执行ActivityThread.main。
透过这点思考出：java的错误机制只不过使另一种函数返回方式，原理为栈的快速回退。快速回逆的时候可以携带对象参数，并且可以对该参数拦截控制栈回退的位置！

10-ActivityThread.main

捕获执行的run中执行了android.app.ActivityThread.main
frameworks\base\core\java\android\app\ActivityThread.java

   @GuardedBy("mNetworkPolicyLock")
   private long mNetworkBlockSeq = INVALID_PROC_STATE_SEQ;

   private ContextImpl mSystemContext;
   private ContextImpl mSystemUiContext;

   static volatile IPackageManager sPackageManager;

   final ApplicationThread mAppThread = new ApplicationThread();
   final Looper mLooper = Looper.myLooper();
   final H mH = new H();
   final ArrayMap<IBinder, ActivityClientRecord> mActivities = new ArrayMap<>();
   // List of new activities (via ActivityRecord.nextIdle) that should
   // be reported when next we idle.
   ActivityClientRecord mNewActivities = null;
   // Number of activities that are currently visible on-screen.
   int mNumVisibleActivities = 0;
   ArrayList<WeakReference<AssistStructure>> mLastAssistStructures = new ArrayList<>();
   private int mLastSessionId;
   final ArrayMap<IBinder, Service> mServices = new ArrayMap<>();
   AppBindData mBoundApplication;
   Profiler mProfiler;
   int mCurDefaultDisplayDpi;
   boolean mDensityCompatMode;
   Configuration mConfiguration;
   Configuration mCompatConfiguration;
   Application mInitialApplication;
   final ArrayList<Application> mAllApplications
           = new ArrayList<Application>();
   // set of instantiated backup agents, keyed by package name
   final ArrayMap<String, BackupAgent> mBackupAgents = new ArrayMap<String, BackupAgent>();
   /** Reference to singleton {@link ActivityThread} */
   private static volatile ActivityThread sCurrentActivityThread;
   Instrumentation mInstrumentation;


   ActivityThread() {
       mResourcesManager = ResourcesManager.getInstance();
   }


   public static void main(String[] args) {
       Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "ActivityThreadMain");
       SamplingProfilerIntegration.start();

       // CloseGuard defaults to true and can be quite spammy.  We
       // disable it here, but selectively enable it later (via
       // StrictMode) on debug builds, but using DropBox, not logs.
       CloseGuard.setEnabled(false);

       Environment.initForCurrentUser();

       // Set the reporter for event logging in libcore
       EventLogger.setReporter(new EventLoggingReporter());

       // Make sure TrustedCertificateStore looks in the right place for CA certificates
       final File configDir = Environment.getUserConfigDirectory(UserHandle.myUserId());
       TrustedCertificateStore.setDefaultUserDirectory(configDir);

       Process.setArgV0("<pre-initialized>");
    //创建主线程looper
       Looper.prepareMainLooper();

	//创建ActivityThread
       ActivityThread thread = new ActivityThread();
	//attach到系统进程
       thread.attach(false);
	
	//创建Handler
       if (sMainThreadHandler == null) {
           sMainThreadHandler = thread.getHandler();
       }

	//这个不执行
       if (false) {
           Looper.myLooper().setMessageLogging(new
                   LogPrinter(Log.DEBUG, "ActivityThread"));
       }

       //主线程进入循环状态，以后用于启动activity、service
       Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
       Looper.loop();

       throw new RuntimeException("Main thread loop unexpectedly exited");
   }


static volatile Handler sMainThreadHandler;  // set once in main()
final H mH = new H();
final Handler getHandler() {
       return mH;
   }

这就是主线程，也就是UI线程。关于Looper需要回顾下android多线程编程：
Looper：每个线程的messagequeue管家，调用loop之后进入循环，发现messagequeue中有消息就取出，传递到Handler中执行。
MessageQueue：存放handler的消息
Message：线程间的消息
Handler：处理、发送消息。

frameworks\base\core\java\android\os\Looper.java

static final ThreadLocal<Looper> sThreadLocal = new ThreadLocal<Looper>();
private static Looper sMainLooper;  // guarded by Looper.class

   public static void prepareMainLooper() {
       prepare(false);
       synchronized (Looper.class) {
           if (sMainLooper != null) {
               throw new IllegalStateException("The main Looper has already been prepared.");
           }
           sMainLooper = myLooper();
       }
   }
private static void prepare(boolean quitAllowed) {
       if (sThreadLocal.get() != null) {
           throw new RuntimeException("Only one Looper may be created per thread");
       }
       sThreadLocal.set(new Looper(quitAllowed));
   }
private Looper(boolean quitAllowed) {
       mQueue = new MessageQueue(quitAllowed);
       mThread = Thread.currentThread();
   }
final MessageQueue mQueue;

一般线程里looper初始化用prepare里面的sThreadLocal是static final的，说明其线程唯一。底层保证其创建于线程私有空间
在ActivityThread里的prepareMainLooper中还赋值给了sMainLooper，为该类所有，是进程唯一。主线程looper可以被其它线程直接获取
同时创建lopper时会创建与lopper唯一绑定的queue，主线程创建时传入false不允许退出，该对象是属于looper对象的，属于进程空间，可被线程共享，因此用来接收消息。

frameworks\base\core\java\android\os\Handler.java

public Handler(Callback callback, boolean async) {
    if (FIND_POTENTIAL_LEAKS) {
        final Class<? extends Handler> klass = getClass();
        if ((klass.isAnonymousClass() || klass.isMemberClass() || klass.isLocalClass()) &&
                (klass.getModifiers() & Modifier.STATIC) == 0) {
            Log.w(TAG, "The following Handler class should be static or leaks might occur: " +
                klass.getCanonicalName());
        }
    }

    mLooper = Looper.myLooper();
    if (mLooper == null) {
        throw new RuntimeException(
            "Can't create handler inside thread that has not called Looper.prepare()");
    }
    mQueue = mLooper.mQueue;
    mCallback = callback;
    mAsynchronous = async;
}

普通的Handler生成方式：构造Handler时绑定该线程的looper，因此所有线程用该handler发送的消息都到了handler创建的线程的处理looper中。
ActivityThread的Handler生成方式：直接获取一个该对象唯一的H继承Handler，也就是为lopper绑定了一个已经实现的Handler，该对象与activityThread类绑定，static可被全局找到
消息传递的核心是队列，利用了线程共享数据作为消息接发，实现线程通信。

loop
frameworks\base\core\java\android\os\Looper.java

   /**
    * Run the message queue in this thread. Be sure to call
    * {@link #quit()} to end the loop.
    */
   public static void loop() {
       final Looper me = myLooper();
       if (me == null) {
           throw new RuntimeException("No Looper; Looper.prepare() wasn't called on this thread.");
       }
	//获取lopper绑定的queue
       final MessageQueue queue = me.mQueue;

       // Make sure the identity of this thread is that of the local process,
       // and keep track of what that identity token actually is.
       Binder.clearCallingIdentity();
       final long ident = Binder.clearCallingIdentity();

       for (;;) {
           Message msg = queue.next(); // might block  在这里阻塞
           if (msg == null) {
               // No message indicates that the message queue is quitting.
               return;
           }

           // This must be in a local variable, in case a UI event sets the logger
           final Printer logging = me.mLogging;
           if (logging != null) {
               logging.println(">>>>> Dispatching to " + msg.target + " " +
                       msg.callback + ": " + msg.what);
           }

           final long slowDispatchThresholdMs = me.mSlowDispatchThresholdMs;

           final long traceTag = me.mTraceTag;
           if (traceTag != 0 && Trace.isTagEnabled(traceTag)) {
               Trace.traceBegin(traceTag, msg.target.getTraceName(msg));
           }
           final long start = (slowDispatchThresholdMs == 0) ? 0 : SystemClock.uptimeMillis();
           final long end;
           try {
			//获取msg的handler来处理
               msg.target.dispatchMessage(msg);
               end = (slowDispatchThresholdMs == 0) ? 0 : SystemClock.uptimeMillis();
           } finally {
               if (traceTag != 0) {
                   Trace.traceEnd(traceTag);
               }
           }
           if (slowDispatchThresholdMs > 0) {
               final long time = end - start;
               if (time > slowDispatchThresholdMs) {
                   Slog.w(TAG, "Dispatch took " + time + "ms on "
                           + Thread.currentThread().getName() + ", h=" +
                           msg.target + " cb=" + msg.callback + " msg=" + msg.what);
               }
           }

           if (logging != null) {
               logging.println("<<<<< Finished to " + msg.target + " " + msg.callback);
           }

           // Make sure that during the course of dispatching the
           // identity of the thread wasn't corrupted.
           final long newIdent = Binder.clearCallingIdentity();
           if (ident != newIdent) {
               Log.wtf(TAG, "Thread identity changed from 0x"
                       + Long.toHexString(ident) + " to 0x"
                       + Long.toHexString(newIdent) + " while dispatching to "
                       + msg.target.getClass().getName() + " "
                       + msg.callback + " what=" + msg.what);
           }

           msg.recycleUnchecked();
       }
   }

//frameworks\base\core\java\android\os\Handler.java
public void dispatchMessage(Message msg) {
       if (msg.callback != null) {
           handleCallback(msg);
       } else {
           if (mCallback != null) {
               if (mCallback.handleMessage(msg)) {
                   return;
               }
           }
           handleMessage(msg);
       }
   }

looper所在线程为处理线程，此处轮询queue获取msg调用发送它的handler执行dispatchMessage最后执行handleMessage。
因为handler创建时绑定线程因此发送时只发送给绑定的线程因此受到的线程执行他的处理方法即可。
之后等待AMS的消息………

12-ActivityThread.attach

frameworks\base\core\java\android\app\ActivityThread.java

	
final ApplicationThread mAppThread = new ApplicationThread();
private static volatile ActivityThread sCurrentActivityThread;
	
    private void attach(boolean system) {
		//保存进程唯一当前主线程
        sCurrentActivityThread = this;
        mSystemThread = system; 
		//不是系统线程
        if (!system) {
            ViewRootImpl.addFirstDrawHandler(new Runnable() {
                @Override
                public void run() {
                    ensureJitEnabled();
                }
            });
            android.ddm.DdmHandleAppName.setAppName("<pre-initialized>",
                                                    UserHandle.myUserId());
													
			//初始化RuntimeInit.mApplicationObject值为作为Binder的ApplicationThread
            RuntimeInit.setApplicationObject(mAppThread.asBinder());
            final IActivityManager mgr = ActivityManager.getService();
            try {
				
				
				//binder调用AMS的方法传递的是IApplicationThread也就是应用进程的binder
                mgr.attachApplication(mAppThread);
            } catch (RemoteException ex) {
                throw ex.rethrowFromSystemServer();
            }
            // Watch for getting close to heap limit.
            BinderInternal.addGcWatcher(new Runnable() {
                @Override public void run() {
                    if (!mSomeActivitiesChanged) {
                        return;
                    }
                    Runtime runtime = Runtime.getRuntime();
                    long dalvikMax = runtime.maxMemory();
                    long dalvikUsed = runtime.totalMemory() - runtime.freeMemory();
                    if (dalvikUsed > ((3*dalvikMax)/4)) {
                        if (DEBUG_MEMORY_TRIM) Slog.d(TAG, "Dalvik max=" + (dalvikMax/1024)
                                + " total=" + (runtime.totalMemory()/1024)
                                + " used=" + (dalvikUsed/1024));
                        mSomeActivitiesChanged = false;
                        try {
                            mgr.releaseSomeActivities(mAppThread);
                        } catch (RemoteException e) {
                            throw e.rethrowFromSystemServer();
                        }
                    }
                }
            });
        } else {
......
        }

        // add dropbox logging to libcore
        DropBox.setReporter(new DropBoxReporter());

        ViewRootImpl.ConfigChangedCallback configChangedCallback
                = (Configuration globalConfig) -> {
            synchronized (mResourcesManager) {
                // We need to apply this change to the resources immediately, because upon returning
                // the view hierarchy will be informed about it.
                if (mResourcesManager.applyConfigurationToResourcesLocked(globalConfig,
                        null /* compat */)) {
                    updateLocaleListFromAppContext(mInitialApplication.getApplicationContext(),
                            mResourcesManager.getConfiguration().getLocales());

                    // This actually changed the resources! Tell everyone about it.
                    if (mPendingConfiguration == null
                            || mPendingConfiguration.isOtherSeqNewer(globalConfig)) {
                        mPendingConfiguration = globalConfig;
                        sendMessage(H.CONFIGURATION_CHANGED, globalConfig);
                    }
                }
            }
        };
        ViewRootImpl.addConfigCallback(configChangedCallback);
    }

	private class ApplicationThread extends IApplicationThread.Stub {
		......
	}
//frameworks\base\core\java\com\android\internal\os\RuntimeInit.java
	private static IBinder mApplicationObject;
	public static final void setApplicationObject(IBinder app) {
        mApplicationObject = app;
    }

mAppThread是一个ApplicationThread类型的Binder对象，它的作用是用来进行进程间通信的。其继承于IApplicationThread.Stub
IActivityManager与IApplicationThread用于应用与服务互相交互，一个位于服务一个位于应用。
http://duanqz.github.io/2016-01-29-Activity-IPC
注意ApplicationThread运行于Binder线程。

13-AMS.attachApplication

AMS.attachApplication
frameworks\base\services\core\java\com\android\server\am\ActivityManagerService.java

  @Override
  public final void attachApplication(IApplicationThread thread) {
      synchronized (this) {
          int callingPid = Binder.getCallingPid();//调用者pid
          final long origId = Binder.clearCallingIdentity();
          attachApplicationLocked(thread, callingPid);
          Binder.restoreCallingIdentity(origId);
      }
  }

	
	
  
  private final boolean attachApplicationLocked(IApplicationThread thread,
          int pid) {

      // Find the application record that is being attached...  either via
      // the pid if we are running in multiple processes, or just pull the
      // next app record if we are emulating process with anonymous threads.
//根据pid获取ProcessRecord应用信息
      ProcessRecord app;
      long startTime = SystemClock.uptimeMillis();
      if (pid != MY_PID && pid >= 0) {
          synchronized (mPidsSelfLocked) {
              app = mPidsSelfLocked.get(pid);
          }
      } else {
          app = null;
      }

      if (app == null) {
          Slog.w(TAG, "No pending application record for pid " + pid
                  + " (IApplicationThread " + thread + "); dropping process");
          EventLog.writeEvent(EventLogTags.AM_DROP_PROCESS, pid);
          if (pid > 0 && pid != MY_PID) {
              killProcessQuiet(pid);
              //TODO: killProcessGroup(app.info.uid, pid);
          } else {
              try {
                  thread.scheduleExit();
              } catch (Exception e) {
                  // Ignore exceptions.
              }
          }
          return false;
      }

      // If this application record is still attached to a previous
      // process, clean it up now.
      if (app.thread != null) {
	//之前绑过的进程信息清除
          handleAppDiedLocked(app, true, true);
      }

      // Tell the process all about itself.

      if (DEBUG_ALL) Slog.v(
              TAG, "Binding process pid " + pid + " to record " + app);

      final String processName = app.processName;
      try {
	//注册应用进程的DeathRecipient，当应用进程崩溃时，系统进程可以收到通知
          AppDeathRecipient adr = new AppDeathRecipient(
                  app, pid, thread);
          thread.asBinder().linkToDeath(adr, 0);
          app.deathRecipient = adr;
      } catch (RemoteException e) {
          app.resetPackageList(mProcessStats);
          startProcessLocked(app, "link fail", processName);
          return false;
      }

      EventLog.writeEvent(EventLogTags.AM_PROC_BOUND, app.userId, app.pid, app.processName);
// 将ProcessRecord对象绑定到应用进程，这是ProcessRecord就变成了“激活”状态
//给予IApplicationThread
      app.makeActive(thread, mProcessStats);
      app.curAdj = app.setAdj = app.verifiedAdj = ProcessList.INVALID_ADJ;
      app.curSchedGroup = app.setSchedGroup = ProcessList.SCHED_GROUP_DEFAULT;
      app.forcingToImportant = null;
      updateProcessForegroundLocked(app, false, false);
      app.hasShownUi = false;
      app.debugging = false;
      app.cached = false;
      app.killedByAm = false;
      app.killed = false;


      // We carefully use the same state that PackageManager uses for
      // filtering, since we use this flag to decide if we need to install
      // providers when user is unlocked later
      app.unlocked = StorageManager.isUserKeyUnlocked(app.userId);

      mHandler.removeMessages(PROC_START_TIMEOUT_MSG, app);

//获取应用进程中所有注册的Provider，这需要通过PackageManager来扫描进程所关联的包名，
//所有静态的Provider信息，即ProviderInfo对象，都会保存到ProcessRecord.pubProviders变量中
      boolean normalMode = mProcessesReady || isAllowedWhileBooting(app.info);
      List<ProviderInfo> providers = normalMode ? generateApplicationProvidersLocked(app) : null;

      if (providers != null && checkAppInLaunchingProvidersLocked(app)) {
          Message msg = mHandler.obtainMessage(CONTENT_PROVIDER_PUBLISH_TIMEOUT_MSG);
          msg.obj = app;
          mHandler.sendMessageDelayed(msg, CONTENT_PROVIDER_PUBLISH_TIMEOUT);
      }

      checkTime(startTime, "attachApplicationLocked: before bindApplication");

      if (!normalMode) {
          Slog.i(TAG, "Launching preboot mode app: " + app);
      }

      if (DEBUG_ALL) Slog.v(
          TAG, "New app record " + app
          + " thread=" + thread.asBinder() + " pid=" + pid);
      try {
          int testMode = ApplicationThreadConstants.DEBUG_OFF;
          if (mDebugApp != null && mDebugApp.equals(processName)) {
              testMode = mWaitForDebugger
                  ? ApplicationThreadConstants.DEBUG_WAIT
                  : ApplicationThreadConstants.DEBUG_ON;
              app.debugging = true;
              if (mDebugTransient) {
                  mDebugApp = mOrigDebugApp;
                  mWaitForDebugger = mOrigWaitForDebugger;
              }
          }
          String profileFile = app.instr != null ? app.instr.mProfileFile : null;
          ParcelFileDescriptor profileFd = null;
          int samplingInterval = 0;
          boolean profileAutoStop = false;
          boolean profileStreamingOutput = false;
          if (mProfileApp != null && mProfileApp.equals(processName)) {
              mProfileProc = app;
              profileFile = mProfileFile;
              profileFd = mProfileFd;
              samplingInterval = mSamplingInterval;
              profileAutoStop = mAutoStopProfiler;
              profileStreamingOutput = mStreamingOutput;
          }
          boolean enableTrackAllocation = false;
          if (mTrackAllocationApp != null && mTrackAllocationApp.equals(processName)) {
              enableTrackAllocation = true;
              mTrackAllocationApp = null;
          }

          // If the app is being launched for restore or full backup, set it up specially
          boolean isRestrictedBackupMode = false;
          if (mBackupTarget != null && mBackupAppName.equals(processName)) {
              isRestrictedBackupMode = mBackupTarget.appInfo.uid >= FIRST_APPLICATION_UID
                      && ((mBackupTarget.backupMode == BackupRecord.RESTORE)
                              || (mBackupTarget.backupMode == BackupRecord.RESTORE_FULL)
                              || (mBackupTarget.backupMode == BackupRecord.BACKUP_FULL));
          }

          if (app.instr != null) {
              notifyPackageUse(app.instr.mClass.getPackageName(),
                               PackageManager.NOTIFY_PACKAGE_USE_INSTRUMENTATION);
          }
          if (DEBUG_CONFIGURATION) Slog.v(TAG_CONFIGURATION, "Binding proc "
                  + processName + " with config " + getGlobalConfiguration());
          ApplicationInfo appInfo = app.instr != null ? app.instr.mTargetInfo : app.info;
          app.compat = compatibilityInfoForPackageLocked(appInfo);
          if (profileFd != null) {
              profileFd = profileFd.dup();
          }
          ProfilerInfo profilerInfo = profileFile == null ? null
                  : new ProfilerInfo(profileFile, profileFd, samplingInterval, profileAutoStop,
                                     profileStreamingOutput);

          // We deprecated Build.SERIAL and it is not accessible to
          // apps that target the v2 security sandbox. Since access to
          // the serial is now behind a permission we push down the value.
          String buildSerial = Build.UNKNOWN;
          if (appInfo.targetSandboxVersion != 2) {
              buildSerial = IDeviceIdentifiersPolicyService.Stub.asInterface(
                      ServiceManager.getService(Context.DEVICE_IDENTIFIERS_SERVICE))
                      .getSerial();
          }

          // Check if this is a secondary process that should be incorporated into some
          // currently active instrumentation.  (Note we do this AFTER all of the profiling
          // stuff above because profiling can currently happen only in the primary
          // instrumentation process.)
          if (mActiveInstrumentation.size() > 0 && app.instr == null) {
              for (int i = mActiveInstrumentation.size() - 1; i >= 0 && app.instr == null; i--) {
                  ActiveInstrumentation aInstr = mActiveInstrumentation.get(i);
                  if (!aInstr.mFinished && aInstr.mTargetInfo.uid == app.uid) {
                      if (aInstr.mTargetProcesses.length == 0) {
                          // This is the wildcard mode, where every process brought up for
                          // the target instrumentation should be included.
                          if (aInstr.mTargetInfo.packageName.equals(app.info.packageName)) {
                              app.instr = aInstr;
                              aInstr.mRunningProcesses.add(app);
                          }
                      } else {
                          for (String proc : aInstr.mTargetProcesses) {
                              if (proc.equals(app.processName)) {
                                  app.instr = aInstr;
                                  aInstr.mRunningProcesses.add(app);
                                  break;
                              }
                          }
                      }
                  }
              }
          }

          checkTime(startTime, "attachApplicationLocked: immediately before bindApplication");
          mStackSupervisor.mActivityMetricsLogger.notifyBindApplication(app);
	
	
	//将信息传递给应用进程
          if (app.instr != null) {
              thread.bindApplication(processName, appInfo, providers,
                      app.instr.mClass,
                      profilerInfo, app.instr.mArguments,
                      app.instr.mWatcher,
                      app.instr.mUiAutomationConnection, testMode,
                      mBinderTransactionTrackingEnabled, enableTrackAllocation,
                      isRestrictedBackupMode || !normalMode, app.persistent,
                      new Configuration(getGlobalConfiguration()), app.compat,
                      getCommonServicesLocked(app.isolated),
                      mCoreSettingsObserver.getCoreSettingsLocked(),
                      buildSerial);
          } else {
              thread.bindApplication(processName, appInfo, providers, null, profilerInfo,
                      null, null, null, testMode,
                      mBinderTransactionTrackingEnabled, enableTrackAllocation,
                      isRestrictedBackupMode || !normalMode, app.persistent,
                      new Configuration(getGlobalConfiguration()), app.compat,
                      getCommonServicesLocked(app.isolated),
                      mCoreSettingsObserver.getCoreSettingsLocked(),
                      buildSerial);
          }

          checkTime(startTime, "attachApplicationLocked: immediately after bindApplication");
          updateLruProcessLocked(app, false, null);
          checkTime(startTime, "attachApplicationLocked: after updateLruProcessLocked");
          app.lastRequestedGc = app.lastLowMemory = SystemClock.uptimeMillis();
      } catch (Exception e) {
          // todo: Yikes!  What should we do?  For now we will try to
          // start another process, but that could easily get us in
          // an infinite loop of restarting processes...
          Slog.wtf(TAG, "Exception thrown during bind of " + app, e);

          app.resetPackageList(mProcessStats);
          app.unlinkDeathRecipient();
          startProcessLocked(app, "bind fail", processName);
          return false;
      }

      // Remove this record from the list of starting applications.
      mPersistentStartingProcesses.remove(app);
      if (DEBUG_PROCESSES && mProcessesOnHold.contains(app)) Slog.v(TAG_PROCESSES,
              "Attach application locked removing on hold: " + app);
      mProcessesOnHold.remove(app);

      boolean badApp = false;
      boolean didSomething = false;

      // See if the top visible activity is waiting to run in this process...
      if (normalMode) {
          try {
		//调度activity
              if (mStackSupervisor.attachApplicationLocked(app)) {
                  didSomething = true;
              }
          } catch (Exception e) {
              Slog.wtf(TAG, "Exception thrown launching activities in " + app, e);
              badApp = true;
          }
      }

      // Find any services that should be running in this process...
      if (!badApp) {
          try {
		//调度service
              didSomething |= mServices.attachApplicationLocked(app, processName);
              checkTime(startTime, "attachApplicationLocked: after mServices.attachApplicationLocked");
          } catch (Exception e) {
              Slog.wtf(TAG, "Exception thrown starting services in " + app, e);
              badApp = true;
          }
      }

      // Check if a next-broadcast receiver is in this process...
      if (!badApp && isPendingBroadcastProcessLocked(pid)) {
          try {
		//调度croadcast
              didSomething |= sendPendingBroadcastsLocked(app);
              checkTime(startTime, "attachApplicationLocked: after sendPendingBroadcastsLocked");
          } catch (Exception e) {
              // If the app died trying to launch the receiver we declare it 'bad'
              Slog.wtf(TAG, "Exception thrown dispatching broadcasts in " + app, e);
              badApp = true;
          }
      }

      // Check whether the next backup agent is in this process...
      if (!badApp && mBackupTarget != null && mBackupTarget.app == app) {
          if (DEBUG_BACKUP) Slog.v(TAG_BACKUP,
                  "New app is backup target, launching agent for " + app);
          notifyPackageUse(mBackupTarget.appInfo.packageName,
                           PackageManager.NOTIFY_PACKAGE_USE_BACKUP);
          try {
              thread.scheduleCreateBackupAgent(mBackupTarget.appInfo,
                      compatibilityInfoForPackageLocked(mBackupTarget.appInfo),
                      mBackupTarget.backupMode);
          } catch (Exception e) {
              Slog.wtf(TAG, "Exception thrown creating backup agent in " + app, e);
              badApp = true;
          }
      }

      if (badApp) {
          app.kill("error during init", true);
          handleAppDiedLocked(app, false, true);
          return false;
      }

      if (!didSomething) {
          updateOomAdjLocked();
          checkTime(startTime, "attachApplicationLocked: after updateOomAdjLocked");
      }

      return true;
  }

通过Binder.getCallingPid()可以获取Binder接口的调用者所在进程的PID，
用进程的ApplicationThread对象赋值给ProcessRecord.thread变量，
AMS获取启动要启动进程的信息，AMS将要启动的apk信息发给新进程。通过pid确认要发的包，通过IApplicationThread确定进程目标。
将信息传递给应用程序以后，就可以进行调度了。这里通过两个标识来记录调度的情况：badApp标识是否调度失败，默认为false，在依次调度Activity、Service和Broadcast的过程中，根据实际的情况，可能将其调整为true，表示调度失败了。一旦调度失败，则需要杀掉应用进程；didSomething表示确有调度发生。

17-bindApplication

ApplicationThread会在Binder线程中响应这个跨进程调用，进行一些简单的数据封装后，便向主线程抛出一个BIND_APPLICATION消息
又回到新进程的ActivityThread收到Binder消息BIND_APPLICATION调用：

frameworks\base\core\java\android\app\ActivityThread.java

H.handleMessage:
               case BIND_APPLICATION:
                   Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "bindApplication");
                   AppBindData data = (AppBindData)msg.obj;
                   handleBindApplication(data);
                   Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
                   break;
				
				
				
   private void handleBindApplication(AppBindData data) {
	//数据初始化
       // Register the UI Thread as a sensitive thread to the runtime.
       VMRuntime.registerSensitiveThread();
       if (data.trackAllocation) {
           DdmVmInternal.enableRecentAllocations(true);
       }

       // Note when this process has started.
       Process.setStartTimes(SystemClock.elapsedRealtime(), SystemClock.uptimeMillis());

       mBoundApplication = data;
       mConfiguration = new Configuration(data.config);
       mCompatConfiguration = new Configuration(data.config);

       mProfiler = new Profiler();
       if (data.initProfilerInfo != null) {
           mProfiler.profileFile = data.initProfilerInfo.profileFile;
           mProfiler.profileFd = data.initProfilerInfo.profileFd;
           mProfiler.samplingInterval = data.initProfilerInfo.samplingInterval;
           mProfiler.autoStopProfiler = data.initProfilerInfo.autoStopProfiler;
           mProfiler.streamingOutput = data.initProfilerInfo.streamingOutput;
       }

       // send up app name; do this *before* waiting for debugger
	//设置进程名
       Process.setArgV0(data.processName);
       android.ddm.DdmHandleAppName.setAppName(data.processName,
                                               UserHandle.myUserId());
	//进程运行信息设置
       if (data.persistent) {
           // Persistent processes on low-memory devices do not get to
           // use hardware accelerated drawing, since this can add too much
           // overhead to the process.
           if (!ActivityManager.isHighEndGfx()) {
               ThreadedRenderer.disable(false);
           }
       }

       if (mProfiler.profileFd != null) {
           mProfiler.startProfiling();
       }

       // If the app is Honeycomb MR1 or earlier, switch its AsyncTask
       // implementation to use the pool executor.  Normally, we use the
       // serialized executor as the default. This has to happen in the
       // main thread so the main looper is set right.
       if (data.appInfo.targetSdkVersion <= android.os.Build.VERSION_CODES.HONEYCOMB_MR1) {
           AsyncTask.setDefaultExecutor(AsyncTask.THREAD_POOL_EXECUTOR);
       }

       Message.updateCheckRecycle(data.appInfo.targetSdkVersion);

       /*
        * Before spawning a new process, reset the time zone to be the system time zone.
        * This needs to be done because the system time zone could have changed after the
        * the spawning of this process. Without doing this this process would have the incorrect
        * system time zone.
        */
       TimeZone.setDefault(null);

       /*
        * Set the LocaleList. This may change once we create the App Context.
        */
       LocaleList.setDefault(data.config.getLocales());

       synchronized (mResourcesManager) {
           /*
            * Update the system configuration since its preloaded and might not
            * reflect configuration changes. The configuration object passed
            * in AppBindData can be safely assumed to be up to date
            */
           mResourcesManager.applyConfigurationToResourcesLocked(data.config, data.compatInfo);
           mCurDefaultDisplayDpi = data.config.densityDpi;

           // This calls mResourcesManager so keep it within the synchronized block.
           applyCompatConfiguration(mCurDefaultDisplayDpi);
       }

	
	
	//获取LoadedApk对象
       data.info = getPackageInfoNoCheck(data.appInfo, data.compatInfo);

       /**
        * Switch this process to density compatibility mode if needed.
        */
       if ((data.appInfo.flags&ApplicationInfo.FLAG_SUPPORTS_SCREEN_DENSITIES)
               == 0) {
           mDensityCompatMode = true;
           Bitmap.setDefaultDensity(DisplayMetrics.DENSITY_DEFAULT);
       }
       updateDefaultDensity();

       final String use24HourSetting = mCoreSettings.getString(Settings.System.TIME_12_24);
       Boolean is24Hr = null;
       if (use24HourSetting != null) {
           is24Hr = "24".equals(use24HourSetting) ? Boolean.TRUE : Boolean.FALSE;
       }
       // null : use locale default for 12/24 hour formatting,
       // false : use 12 hour format,
       // true : use 24 hour format.
       DateFormat.set24HourTimePref(is24Hr);

       View.mDebugViewAttributes =
               mCoreSettings.getInt(Settings.Global.DEBUG_VIEW_ATTRIBUTES, 0) != 0;

       /**
        * For system applications on userdebug/eng builds, log stack
        * traces of disk and network access to dropbox for analysis.
        */
       if ((data.appInfo.flags &
            (ApplicationInfo.FLAG_SYSTEM |
             ApplicationInfo.FLAG_UPDATED_SYSTEM_APP)) != 0) {
           StrictMode.conditionallyEnableDebugLogging();
       }

       /**
        * For apps targetting Honeycomb or later, we don't allow network usage
        * on the main event loop / UI thread. This is what ultimately throws
        * {@link NetworkOnMainThreadException}.
        */
       if (data.appInfo.targetSdkVersion >= Build.VERSION_CODES.HONEYCOMB) {
           StrictMode.enableDeathOnNetwork();
       }

       /**
        * For apps targetting N or later, we don't allow file:// Uri exposure.
        * This is what ultimately throws {@link FileUriExposedException}.
        */
       if (data.appInfo.targetSdkVersion >= Build.VERSION_CODES.N) {
           StrictMode.enableDeathOnFileUriExposure();
       }

       // We deprecated Build.SERIAL and only apps that target pre NMR1
       // SDK can see it. Since access to the serial is now behind a
       // permission we push down the value and here we fix it up
       // before any app code has been loaded.
       try {
           Field field = Build.class.getDeclaredField("SERIAL");
           field.setAccessible(true);
           field.set(Build.class, data.buildSerial);
       } catch (NoSuchFieldException | IllegalAccessException e) {
           /* ignore */
       }

       if (data.debugMode != ApplicationThreadConstants.DEBUG_OFF) {
           // XXX should have option to change the port.
           Debug.changeDebugPort(8100);
           if (data.debugMode == ApplicationThreadConstants.DEBUG_WAIT) {
               Slog.w(TAG, "Application " + data.info.getPackageName()
                     + " is waiting for the debugger on port 8100...");

               IActivityManager mgr = ActivityManager.getService();
               try {
                   mgr.showWaitingForDebugger(mAppThread, true);
               } catch (RemoteException ex) {
                   throw ex.rethrowFromSystemServer();
               }

               Debug.waitForDebugger();

               try {
                   mgr.showWaitingForDebugger(mAppThread, false);
               } catch (RemoteException ex) {
                   throw ex.rethrowFromSystemServer();
               }

           } else {
               Slog.w(TAG, "Application " + data.info.getPackageName()
                     + " can be debugged on port 8100...");
           }
       }

       // Allow application-generated systrace messages if we're debuggable.
       boolean isAppDebuggable = (data.appInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0;
       Trace.setAppTracingAllowed(isAppDebuggable);
       if (isAppDebuggable && data.enableBinderTracking) {
           Binder.enableTracing();
       }

       /**
        * Initialize the default http proxy in this process for the reasons we set the time zone.
        */
       Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "Setup proxies");
       final IBinder b = ServiceManager.getService(Context.CONNECTIVITY_SERVICE);
       if (b != null) {
           // In pre-boot mode (doing initial launch to collect password), not
           // all system is up.  This includes the connectivity service, so don't
           // crash if we can't get it.
           final IConnectivityManager service = IConnectivityManager.Stub.asInterface(b);
           try {
               final ProxyInfo proxyInfo = service.getProxyForNetwork(null);
               Proxy.setHttpProxySystemProperty(proxyInfo);
           } catch (RemoteException e) {
               Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
               throw e.rethrowFromSystemServer();
           }
       }
       Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);

       // Instrumentation info affects the class loader, so load it before
       // setting up the app context.
       final InstrumentationInfo ii;
       if (data.instrumentationName != null) {
           try {
               ii = new ApplicationPackageManager(null, getPackageManager())
                       .getInstrumentationInfo(data.instrumentationName, 0);
           } catch (PackageManager.NameNotFoundException e) {
               throw new RuntimeException(
                       "Unable to find instrumentation info for: " + data.instrumentationName);
           }

           mInstrumentationPackageName = ii.packageName;
           mInstrumentationAppDir = ii.sourceDir;
           mInstrumentationSplitAppDirs = ii.splitSourceDirs;
           mInstrumentationLibDir = getInstrumentationLibrary(data.appInfo, ii);
           mInstrumentedAppDir = data.info.getAppDir();
           mInstrumentedSplitAppDirs = data.info.getSplitAppDirs();
           mInstrumentedLibDir = data.info.getLibDir();
       } else {
           ii = null;
       }

	
	// 创建ContextImpl上下文
       final ContextImpl appContext = ContextImpl.createAppContext(this, data.info);
       updateLocaleListFromAppContext(appContext,
               mResourcesManager.getConfiguration().getLocales());
	//缓冲目录设置相关
       if (!Process.isIsolated() && !"android".equals(appContext.getPackageName())) {
           // This cache location probably points at credential-encrypted
           // storage which may not be accessible yet; assign it anyway instead
           // of pointing at device-encrypted storage.
           final File cacheDir = appContext.getCacheDir();
           if (cacheDir != null) {
               // Provide a usable directory for temporary files
               System.setProperty("java.io.tmpdir", cacheDir.getAbsolutePath());
           } else {
               Log.v(TAG, "Unable to initialize \"java.io.tmpdir\" property "
                       + "due to missing cache directory");
           }

           // Setup a location to store generated/compiled graphics code.
           final Context deviceContext = appContext.createDeviceProtectedStorageContext();
           final File codeCacheDir = deviceContext.getCodeCacheDir();
           if (codeCacheDir != null) {
               setupGraphicsSupport(appContext, codeCacheDir);
           } else {
               Log.e(TAG, "Unable to setupGraphicsSupport due to missing code-cache directory");
           }
       }
	//进程相关的初始化代码，包含时区、StrictMode、调试模式等相关的设置
       // If we use profiles, setup the dex reporter to notify package manager
       // of any relevant dex loads. The idle maintenance job will use the information
       // reported to optimize the loaded dex files.
       // Note that we only need one global reporter per app.
       // Make sure we do this before calling onCreate so that we can capture the
       // complete application startup.
       if (SystemProperties.getBoolean("dalvik.vm.usejitprofiles", false)) {
           BaseDexClassLoader.setReporter(DexLoadReporter.getInstance());
       }

       // Install the Network Security Config Provider. This must happen before the application
       // code is loaded to prevent issues with instances of TLS objects being created before
       // the provider is installed.
       Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "NetworkSecurityConfigProvider.install");
       NetworkSecurityConfigProvider.install(appContext);
       Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);

       // 根据情况初始化Intrumentation对象
       if (ii != null) {
           final ApplicationInfo instrApp = new ApplicationInfo();
           ii.copyTo(instrApp);
           instrApp.initForUser(UserHandle.myUserId());
           final LoadedApk pi = getPackageInfo(instrApp, data.compatInfo,
                   appContext.getClassLoader(), false, true, false);
           final ContextImpl instrContext = ContextImpl.createAppContext(this, pi);

           try {
               final ClassLoader cl = instrContext.getClassLoader();
               mInstrumentation = (Instrumentation)
                   cl.loadClass(data.instrumentationName.getClassName()).newInstance();
           } catch (Exception e) {
               throw new RuntimeException(
                   "Unable to instantiate instrumentation "
                   + data.instrumentationName + ": " + e.toString(), e);
           }

           final ComponentName component = new ComponentName(ii.packageName, ii.name);
           mInstrumentation.init(this, instrContext, appContext, component,
                   data.instrumentationWatcher, data.instrumentationUiAutomationConnection);

           if (mProfiler.profileFile != null && !ii.handleProfiling
                   && mProfiler.profileFd == null) {
               mProfiler.handlingProfiling = true;
               final File file = new File(mProfiler.profileFile);
               file.getParentFile().mkdirs();
               Debug.startMethodTracing(file.toString(), 8 * 1024 * 1024);
           }
       } else {
           mInstrumentation = new Instrumentation();
       }

       if ((data.appInfo.flags&ApplicationInfo.FLAG_LARGE_HEAP) != 0) {
           dalvik.system.VMRuntime.getRuntime().clearGrowthLimit();
       } else {
           // Small heap, clamp to the current growth limit and let the heap release
           // pages after the growth limit to the non growth limit capacity. b/18387825
           dalvik.system.VMRuntime.getRuntime().clampGrowthLimit();
       }

       // Allow disk access during application and provider setup. This could
       // block processing ordered broadcasts, but later processing would
       // probably end up doing the same disk access.
       final StrictMode.ThreadPolicy savedPolicy = StrictMode.allowThreadDiskWrites();
       try {
           // If the app is being launched for full backup or restore, bring it up in
           // a restricted environment with the base application class.
		//此处data.info是指LoadedApk, 通过反射创建目标应用Application对象----此时应用已加载
           Application app = data.info.makeApplication(data.restrictedBackupMode, null);
           mInitialApplication = app;//设置全局Application

           // don't bring up providers in restricted mode; they may depend on the
           // app's custom Application class
		//装载Providers
           if (!data.restrictedBackupMode) {
               if (!ArrayUtils.isEmpty(data.providers)) {
                   installContentProviders(app, data.providers);
                   // For process that contains content providers, we want to
                   // ensure that the JIT is enabled "at some point".
                   mH.sendEmptyMessageDelayed(H.ENABLE_JIT, 10*1000);
               }
           }

           // Do this after providers, since instrumentation tests generally start their
           // test thread at this point, and we don't want that racing.
           try {
               mInstrumentation.onCreate(data.instrumentationArgs);
           }
           catch (Exception e) {
               throw new RuntimeException(
                   "Exception thrown in onCreate() of "
                   + data.instrumentationName + ": " + e.toString(), e);
           }

           try {
			
			
			
			//调用Application.onCreate()函数
               mInstrumentation.callApplicationOnCreate(app);
           } catch (Exception e) {
               if (!mInstrumentation.onException(app, e)) {
                   throw new RuntimeException(
                       "Unable to create application " + app.getClass().getName()
                       + ": " + e.toString(), e);
               }
           }
       } finally {
           StrictMode.setThreadPolicy(savedPolicy);
       }

       // Preload fonts resources
       FontsContract.setApplicationContextForResources(appContext);
       try {
           final ApplicationInfo info =
                   getPackageManager().getApplicationInfo(
                           data.appInfo.packageName,
                           PackageManager.GET_META_DATA /*flags*/,
                           UserHandle.myUserId());
           if (info.metaData != null) {
               final int preloadedFontsResource = info.metaData.getInt(
                       ApplicationInfo.METADATA_PRELOADED_FONTS, 0);
               if (preloadedFontsResource != 0) {
                   data.info.mResources.preloadFonts(preloadedFontsResource);
               }
           }
       } catch (RemoteException e) {
           throw e.rethrowFromSystemServer();
       }
   }

回调onCreat的部分
frameworks\base\core\java\android\app\Instrumentation.java

public void callApplicationOnCreate(Application app) {
    app.onCreate();
}

进程得到AMS传来的运行信息，获取相关资源，得到application，此时成为真正的app进程。

16-mStackSupervisor.attachApplicationLocked

接下来看下他的activity启动
mStackSupervisor.attachApplicationLocked(app)
frameworks\base\services\core\java\com\android\server\am\ActivityStackSupervisor.java

boolean attachApplicationLocked(ProcessRecord app) throws RemoteException {
    final String processName = app.processName;
    boolean didSomething = false;
    for (int displayNdx = mActivityDisplays.size() - 1; displayNdx >= 0; --displayNdx) {
        ArrayList<ActivityStack> stacks = mActivityDisplays.valueAt(displayNdx).mStacks;
        for (int stackNdx = stacks.size() - 1; stackNdx >= 0; --stackNdx) {
            final ActivityStack stack = stacks.get(stackNdx);
            if (!isFocusedStack(stack)) {
                continue;
            }
            ActivityRecord hr = stack.topRunningActivityLocked();
            if (hr != null) {
                if (hr.app == null && app.uid == hr.info.applicationInfo.uid
                        && processName.equals(hr.processName)) {
                    try {
                        if (realStartActivityLocked(hr, app, true, true)) {
                            didSomething = true;
                        }
                    } catch (RemoteException e) {
                        Slog.w(TAG, "Exception in new application when starting activity "
                              + hr.intent.getComponent().flattenToShortString(), e);
                        throw e;
                    }
                }
            }
        }
    }
    if (!didSomething) {
        ensureActivitiesVisibleLocked(null, 0, !PRESERVE_WINDOWS);
    }
    return didSomething;
}

遍历寻找所有ActivityStack和TaskRecord，对栈顶的ActivityRecord进行操作。这里其实就是需要启动应用进程中还未启动的Activity。

realStartActivityLocked中：

1. 将ProcessRecord和ActivityRecord关联。ActivityRecord对象的app属性，就是ProcessRecord类型
2. 跨进程调用IApplicationThread.scheduleLaunchActivity()，调度启动Activity。很多参数都会通过这个函数传递到应用进程；其中包括含ActivityRecord的Token
3. 调用AS.minimalResumeActivityLocked()来显示Activity。

20-handleLaunchActivity

scheduleLaunchActivity发送LAUNCH_ACTIVITY到ActivityThread.H
frameworks\base\core\java\android\app\ActivityThread.java

            case LAUNCH_ACTIVITY: {
                Trace.traceBegin(Trace.TRACE_TAG_ACTIVITY_MANAGER, "activityStart");
                final ActivityClientRecord r = (ActivityClientRecord) msg.obj;

                r.packageInfo = getPackageInfoNoCheck(
                        r.activityInfo.applicationInfo, r.compatInfo);
                handleLaunchActivity(r, null, "LAUNCH_ACTIVITY");
                Trace.traceEnd(Trace.TRACE_TAG_ACTIVITY_MANAGER);
            } break;


private void handleLaunchActivity(ActivityClientRecord r, Intent customIntent, String reason) {
    // If we are getting ready to gc after going to the background, well
    // we are back active so skip it.
    unscheduleGcIdler();
    mSomeActivitiesChanged = true;

    if (r.profilerInfo != null) {
        mProfiler.setProfiler(r.profilerInfo);
        mProfiler.startProfiling();
    }

    // Make sure we are running with the most recent config.
    handleConfigurationChanged(null, null);

    if (localLOGV) Slog.v(
        TAG, "Handling launch of " + r);

    // Initialize before creating the activity
    WindowManagerGlobal.initialize();

    Activity a = performLaunchActivity(r, customIntent);

    if (a != null) {
        r.createdConfig = new Configuration(mConfiguration);
        reportSizeConfigurations(r);
        Bundle oldState = r.state;
        handleResumeActivity(r.token, false, r.isForward,
                !r.activity.mFinished && !r.startsNotResumed, r.lastProcessedSeq, reason);

        if (!r.activity.mFinished && r.startsNotResumed) {
            // The activity manager actually wants this one to start out paused, because it
            // needs to be visible but isn't in the foreground. We accomplish this by going
            // through the normal startup (because activities expect to go through onResume()
            // the first time they run, before their window is displayed), and then pausing it.
            // However, in this case we do -not- need to do the full pause cycle (of freezing
            // and such) because the activity manager assumes it can just retain the current
            // state it has.
            performPauseActivityIfNeeded(r, reason);

            // We need to keep around the original state, in case we need to be created again.
            // But we only do this for pre-Honeycomb apps, which always save their state when
            // pausing, so we can not have them save their state when restarting from a paused
            // state. For HC and later, we want to (and can) let the state be saved as the
            // normal part of stopping the activity.
            if (r.isPreHoneycomb()) {
                r.state = oldState;
            }
        }
    } else {
        // If there was an error, for any reason, tell the activity manager to stop us.
        try {
            ActivityManager.getService()
                .finishActivity(r.token, Activity.RESULT_CANCELED, null,
                        Activity.DONT_FINISH_TASK_WITH_ACTIVITY);
        } catch (RemoteException ex) {
            throw ex.rethrowFromSystemServer();
        }
    }
}

1. 调用ActivityThread.performLaunchActivity()函数，初始化一个Activity，真正干活的是它
2. 调用ActivityThread.handleResumeActivity()来处理Activity进入显示状态时需要完成的操作

在performLaunchActivity中：获取activity参数（注册类名的原因、部分信息也都可以通过PackageManager再向系统进程索取），反射创建activity对象，创建activity的context，回调oncreate、onstart等函数。
在handleResumeActivity中：调用Activity.onResume()，通知系统进程，Activity已经处于Resumed状态

后记

由zygote fork出子进程后，构建activitythrea主线程和applicationThread，前者作为主线程用线程通信looper接受消息处理渲染等操作，后者作为binder线程接受AMS的消息管理应用。