基于Android-30源码(1-5)(和android-29类似)
后面6开始基于android-29
1. Activity.java -> startActivity(Intent intent)(5616) -> startActivityForResult(5315)
2. Instrumentation.java -> execStartActivity()(1690) -> ActivityTaskManager.getService().startActivity()
3. ActivityTaskManager.java ->
/** @hide */
public static IActivityTaskManager getService() {
return IActivityTaskManagerSingleton.get();
}
@UnsupportedAppUsage(trackingBug = 129726065)
private static final Singleton<IActivityTaskManager> IActivityTaskManagerSingleton =
new Singleton<IActivityTaskManager>() {
@Override
protected IActivityTaskManager create() {
final IBinder b = ServiceManager.getService(Context.ACTIVITY_TASK_SERVICE);
return IActivityTaskManager.Stub.asInterface(b);
}
};
4. ActivityManagerService.startActivity-> ActivityTaskManagerService.startActivity()(1043) -> ActivityTaskManagerService.startActivityAsUser()(1077)
它通过getActivityStartController().obtainStarter返回一个ActivityStarter对象并调用它的exeute方法
// TODO: Switch to user app stacks here.
/**
getActivityStartController().obtainStarter(intent, "startActivityAsUser") 返回一个ActivityStarter.java实例
**/
return getActivityStartController().obtainStarter(intent, "startActivityAsUser")
.setCaller(caller)
.setCallingPackage(callingPackage)
.setCallingFeatureId(callingFeatureId)
.setResolvedType(resolvedType)
.setResultTo(resultTo)
.setResultWho(resultWho)
.setRequestCode(requestCode)
.setStartFlags(startFlags)
.setProfilerInfo(profilerInfo)
.setActivityOptions(bOptions)
.setUserId(userId)
.execute();
5. 执行ActivityStarter.java的execute()方法
ActivityStarter.java 628行 execute()方法
int execute() {
try {
...
synchronized (mService.mGlobalLock) {
final ActivityRecord caller = ActivityRecord.forTokenLocked(mRequest.resultTo);
launchingState = mSupervisor.getActivityMetricsLogger().notifyActivityLaunching(
mRequest.intent, caller);
}
//主要看这个方法,他将开始执行intent 请求
res = executeRequest(mRequest);
...
mSupervisor.getActivityMetricsLogger().notifyActivityLaunched(launchingState, res,
mLastStartActivityRecord);
return getExternalResult(mRequest.waitResult == null ? res
: waitForResult(res, mLastStartActivityRecord));
}
} finally {
...
}
}
从这里开始用android-29源码,30源码暂时太难跟踪了
5. 这是Android-29
ActivityStarter.java 中execute()方法
//mRequest.mayWait为true
int execute() {
try {
// TODO(b/64750076): Look into passing request directly to these methods to allow
// for transactional diffs and preprocessing.
if (mRequest.mayWait) {
return startActivityMayWait(mRequest.caller, ... mRequest.allowPendingRemoteAnimationRegistryLookup,
mRequest.originatingPendingIntent, mRequest.allowBackgroundActivityStart);
} else {
return startActivity(mRequest.caller, mRequest.intent, ...mmRequest.allowBackgroundActivityStart);
}
} finally {
onExecutionComplete();
}
}
6. 因为mRequest.mayWait为true,进入private int startActivityMayWait()方法
private int startActivityMayWait(){
...
1288行 int res = startActivity(caller, intent, ephemeralIntent, resolvedType, aInfo, rInfo,
voiceSession, voiceInteractor, resultTo, resultWho, requestCode, callingPid,
callingUid, callingPackage, realCallingPid, realCallingUid, startFlags, options,
ignoreTargetSecurity, componentSpecified, outRecord, inTask, reason,
allowPendingRemoteAnimationRegistryLookup, originatingPendingIntent,
allowBackgroundActivityStart);
...
}
7. 根据前面,进入566行的startActivity()方法
private int startActivity(){
...
583行 mLastStartActivityResult = startActivity(caller, intent, ephemeralIntent, resolvedType,
aInfo, rInfo, voiceSession, voiceInteractor, resultTo, resultWho, requestCode,
callingPid, callingUid, callingPackage, realCallingPid, realCallingUid, startFlags,
options, ignoreTargetSecurity, componentSpecified, mLastStartActivityRecord,
inTask, allowPendingRemoteAnimationRegistryLookup, originatingPendingIntent,
allowBackgroundActivityStart);
return getExternalResult(mLastStartActivityResult);
}
8. 根据7进入611行的startActivity()方法
private int startActivity(){
...
933行 final int res = startActivity(r, sourceRecord, voiceSession, voiceInteractor, startFlags,
true /* doResume */, checkedOptions, inTask, outActivity, restrictedBgActivity);
mSupervisor.getActivityMetricsLogger().notifyActivityLaunched(res, outActivity[0]);
return res;
}
9. 根据8进入1386行的startActivity()方法
private int startActivity(){
...
try {
1393行
mService.mWindowManager.deferSurfaceLayout();
result = startActivityUnchecked(r, sourceRecord, voiceSession, voiceInteractor,
startFlags, doResume, options, inTask, outActivity, restrictedBgActivity);
}
...
}
10. 根据9进入1464行的startActivityUnchecked()方法
private int startActivityUnchecked(){
...
1641行 if (mDoResume) {
mRootActivityContainer.resumeFocusedStacksTopActivities();
}
...
}
11. 根据10进入RootActivityContainer.java的resumeFocusedStacksTopActivities()方法
boolean resumeFocusedStacksTopActivities() {
return resumeFocusedStacksTopActivities(null, null, null);
}
boolean resumeFocusedStacksTopActivities(...){
...
if (targetStack != null && (targetStack.isTopStackOnDisplay()
|| getTopDisplayFocusedStack() == targetStack)) {
1158行 result = targetStack.resumeTopActivityUncheckedLocked(target, targetOptions);
}
...
}
12. 根据11,进入到ActivityStack.java中的resumeTopActivityUncheckedLocked()方法,而它又调用了resumeTopActivityInnerLocked()方法
private boolean resumeTopActivityInnerLocked(ActivityRecord prev,
ActivityOptions options) {
...
3037行 mStackSupervisor.startSpecificActivityLocked(next, true, true);
}
13. 根据12进入到ActivityStackSupervisor.java的startSpecificActivityLocked()方法,而它又调用了realStartActivityLocked()方法
这里创建了ClientTransaction事务并给他添加了callback LaunchActivityItem
mService.getLifecycleManager()返回一个ClientLifecycleManager对象
705行
boolean realStartActivityLocked(ActivityRecord r, WindowProcessController proc,
boolean andResume, boolean checkConfig) throws RemoteException {
...
//这里注意LaunchActivityItem.java类,实际上是后面回调ActivityThread.java中handlerLaunchActivity的入口
clientTransaction.addCallback(LaunchActivityItem.obtain(new Intent(r.intent),
System.identityHashCode(r), r.info,
// TODO: Have this take the merged configuration instead of separate global
// and override configs.
mergedConfiguration.getGlobalConfiguration(),
mergedConfiguration.getOverrideConfiguration(), r.compat,
r.launchedFromPackage, task.voiceInteractor, proc.getReportedProcState(),
r.icicle, r.persistentState, results, newIntents,
dc.isNextTransitionForward(), proc.createProfilerInfoIfNeeded(),
r.assistToken));
..
// Schedule transaction.
853行 mService.getLifecycleManager().scheduleTransaction(clientTransaction);
...
}
14. 根据13进入到ClientLifecycleManager.java中的scheduleTransaction()方法(即调度事务)
该方法比较简单,它实际上调用了ClientTransaction.java中的schedule()方法。
void scheduleTransaction(ClientTransaction transaction) throws RemoteException {
final IApplicationThread client = transaction.getClient();
transaction.schedule();
if (!(client instanceof Binder)) {
// If client is not an instance of Binder - it's a remote call and at this point it is
// safe to recycle the object. All objects used for local calls will be recycled after
// the transaction is executed on client in ActivityThread.
transaction.recycle();
}
}
15. 根据14进入到ClientTransaction.java中的schedule()方法
它呢又调用了mClient的scheduleTransaction方法,那mClient是谁呢? 他就是IApplicationThread。实际上就是ApplicationThread(它是ActivityThread.java的内部类)代理类,通过Binder同AMS通信的。
从这里开始将从AMS切换到App的进程
public void schedule() throws RemoteException {
mClient.scheduleTransaction(this);
}
-----------------------------AMS切回App进程-------------------
16、那么现在我们进入ActivityThread.java中的内部类ApplicationThread中找到scheduleTransaction()方法
@Override
1665行 public void scheduleTransaction(ClientTransaction transaction) throws RemoteException {
ActivityThread.this.scheduleTransaction(transaction);
}
而ActivityThread.this.scheduleTransaction(transaction)实际上是进入了ActivityThread的父类ClientTransactionHandler.java中的scheduleTransaction()方法,它通过Handler发送了一个ActivityThread.H.EXECUTE_TRANSACTION消息
ClientTransactionHandler.java
/** Prepare and schedule transaction for execution. */
void scheduleTransaction(ClientTransaction transaction) {
transaction.preExecute(this);
sendMessage(ActivityThread.H.EXECUTE_TRANSACTION, transaction);
}
17、进入到ActivityThread.java中找到接受消息的地方
2017行 case EXECUTE_TRANSACTION:
final ClientTransaction transaction = (ClientTransaction) msg.obj;
mTransactionExecutor.execute(transaction);
break;
17.1 然后在TransactionExecutor.java中的execute()中,它又会去调用executeCallbacks(transaction)方法
TransactionExecutor.java
public void execute(ClientTransaction transaction) {
...
95行 executeCallbacks(transaction);
executeLifecycleState(transaction);
...
}
进入executeCallbacks()方法
public void executeCallbacks(ClientTransaction transaction) {
//item为ClientTransactionItem对象
135行 item.execute(mTransactionHandler, token, mPendingActions);
}
18、因为ClientTransactionItem实际上是一个抽象类,并没有execute()方法,那么只有找到它的子类了,而mTransactionHandler实际上就是我们ActivityThread,
在之前13小点的时候, 在ActivitySuperSupervisor.java的realStartActivityLocked()中它调用了mService.getLifecycleManager().scheduleTransaction(clientTransaction); 而在它之前有一步,不要忘记了,这里再看下
705行
boolean realStartActivityLocked(ActivityRecord r, WindowProcessController proc,
boolean andResume, boolean checkConfig) throws RemoteException {
...
//这里注意LaunchActivityItem.java类,实际上是后面回调ActivityThread.java中handlerLaunchActivity的入口
clientTransaction.addCallback(LaunchActivityItem.obtain(new Intent(r.intent),
...
dc.isNextTransitionForward(), proc.createProfilerInfoIfNeeded(),
r.assistToken));
..
// onCreate调用完后,接着调用onResume的入口
final ActivityLifecycleItem lifecycleItem;
if (andResume) {
lifecycleItem = ResumeActivityItem.obtain(dc.isNextTransitionForward());
} else {
lifecycleItem = PauseActivityItem.obtain();
}
clientTransaction.setLifecycleStateRequest(lifecycleItem);
// Schedule transaction.
853行 mService.getLifecycleManager().scheduleTransaction(clientTransaction);
...
}
clientTrancaction.addCallback()这里添加的callback实际上就是LaunchActivityItem
19、这里接着17点和结合18点,那么item.execute(mTransactionHandler, token, mPendingActions)实际上就是调用了LaunchActivityItem的execute()方法,
它通过client调用了handlerLaunchActivity()方法。这里client实际上就是ActivityThread.
LuanchActivityItem.java
@Override
public void execute(ClientTransactionHandler client, IBinder token,
PendingTransactionActions pendingActions) {
ActivityClientRecord r = new ActivityClientRecord(token, mIntent, mIdent, mInfo,
mOverrideConfig, mCompatInfo, mReferrer, mVoiceInteractor, mState, mPersistentState,
mPendingResults, mPendingNewIntents, mIsForward,
mProfilerInfo, client, mAssistToken);
client.handleLaunchActivity(r, pendingActions, null /* customIntent */);
}
20、接着又进入ActivityThread.java中的handleLaunchActivity()方法
@Override
3381行 public Activity handleLaunchActivity(ActivityClientRecord r,
PendingTransactionActions pendingActions, Intent customIntent) {
...
3409行 final Activity a = performLaunchActivity(r, customIntent);
...
}
21、进入到ActivityThread.java中的performLaunchActivity()方法
/** Core implementation of activity launch. */
3159行 private Activity performLaunchActivity(ActivityClientRecord r, Intent customIntent) {
...
//通过反射创建Activity实例
//(Activity) cl.loadClass(className).newInstance();
3181行 java.lang.ClassLoader cl = appContext.getClassLoader();
activity = mInstrumentation.newActivity(
cl, component.getClassName(), r.intent);
...
3199行 Application app = r.packageInfo.makeApplication(false, mInstrumentation);
...
//调用Activity的attch()方法
3224行 activity.attach(appContext, this, getInstrumentation(), r.token,
r.ident, app, r.intent, r.activityInfo, title, r.parent,
r.embeddedID, r.lastNonConfigurationInstances, config,
r.referrer, r.voiceInteractor, window, r.configCallback,
r.assistToken);
...
//然后通过Instrumentation.callActivityOnCreate方法调用Activity的onCreate方法
3245行 mInstrumentation.callActivityOnCreate(activity, r.state);
}
21.1 3199行 Application app = r.packageInfo.makeApplication(false, mInstrumentation)生成了一个Application对象,
进入LoaderApk.java中的makeApplication()方法,实际调用了mActivityThread.mInstrumentation.newApplication(
cl, appClass, appContext);还是使用了Instrumentation.java的newApplication()方法反射生成Application对象
public Application newApplication(ClassLoader cl, String className, Context context)
throws InstantiationException, IllegalAccessException,
ClassNotFoundException {
Application app = getFactory(context.getPackageName())
.instantiateApplication(cl, className);
app.attach(context);
return app;
}
然后调用了Application的attach方法,而在attach方法中会去调用attachBaseContext()方法,这也是很多apk解密的地方
/* package */ final void attach(Context context) {
attachBaseContext(context);
mLoadedApk = ContextImpl.getImpl(context).mPackageInfo;
}
21.2 3245行然后通过Instrumentation.callActivityOnCreate方法调用activity.performCreate(icicle);方法
public void callActivityOnCreate(Activity activity, Bundle icicle) {
prePerformCreate(activity);
activity.performCreate(icicle);
postPerformCreate(activity);
}
然后在Activity.java中的performCreate()方法中我们看到了调用了onCreate()方法了。
final void performCreate(Bundle icicle, PersistableBundle persistentState) {
dispatchActivityPreCreated(icicle);
...
if (persistentState != null) {
onCreate(icicle, persistentState);
} else {
onCreate(icicle);
}
...
dispatchActivityPostCreated(icicle);
}
至此我们通过Activity.startActivity()方法,跟踪进入到ActivityTaskManagerService中,然后最终在ClientTransaction的schdule中通过IApplicationThread回调了ApplicationThread的schduleTransaction方法。
然后通过一些操作,最终通过ClientTransaction.addCallback时添加的LaunchActivityItem中的execute()方法回调了ActivityThread中的handleLaunchActivity()方法,进而实例化了Activity(ActivityRecord)和Application
网友评论