startServie启动过程

基于Android10.0，分析startService的启动过程

一、概述

前面已经介绍了详细介绍了管理Android四大剑客Activity、Service、Broadcast、ContentProvider的ActivityManagerService启动的详细流程，这里讲从应用startService的启动过程来分析AMS。

ActivityManagerService相关的类图如下：

启动服务通过startServie或者bindService即可，该过程如下：

当应用调用Andorid API方法startServie或者bindService来启动服务的过程，主要是AMS来完成的。

1.AMS通过socket通信方式向zygote进程请求创建用于承载服务进程的ActivityThread。如果启动服务运行在本地服务则不需要再次创建进程。

2.zygote通过fork的方法，将zygote进程复制升级新的进程，并将ActivityThread相关的资源加载到新进程。

3.AMS向新生成的ActivityThread进程，通过Binder方式发送创建服务的请求

4.ActivityThread启动本地运行服务。

启动服务的流程如下：

二、启动服务进程端

在app中调用startService，调用的是ContextWrapper中的startService

1. CW.startService

[->ContextWrapper.java]

@Override
public ComponentName startService(Intent service) {
     //mBase为ContextImpl对象
    return mBase.startService(service);
}

2. Cl.startService

[->ContextImpl.java]

@Override
public ComponentName startService(Intent service) {
      //system进程调用此方法时输出warn信息
       warnIfCallingFromSystemProcess();
       return startServiceCommon(service, false, mUser);
 }

3. CI.startServiceCommon

[->ContextImpl.java]

private ComponentName startServiceCommon(Intent service, boolean requireForeground,
           UserHandle user) {
       try {
           //校验service，sdk大于等于21时，service中必须带Component和Package
           validateServiceIntent(service);
           service.prepareToLeaveProcess(this);
           //通过binder调用startService,见1.4节
           ComponentName cn = ActivityManager.getService().startService(
               mMainThread.getApplicationThread(), service, service.resolveTypeIfNeeded(
                           getContentResolver()), requireForeground,
                           getOpPackageName(), user.getIdentifier());
           if (cn != null) {
               if (cn.getPackageName().equals("!")) {
                   throw new SecurityException(
                           "Not allowed to start service " + service
                           + " without permission " + cn.getClassName());
               } else if (cn.getPackageName().equals("!!")) {
                   throw new SecurityException(
                           "Unable to start service " + service
                           + ": " + cn.getClassName());
               } else if (cn.getPackageName().equals("?")) {
                   throw new IllegalStateException(
                           "Not allowed to start service " + service + ": " + cn.getClassName());
               }
           }
           return cn;
       } catch (RemoteException e) {
           throw e.rethrowFromSystemServer();
       }
   }

4. AM.getService

这个方法和Android6.0不一样，没有了ActivityManagerNative和ActivityManagerProxy，直接通过IActivityManager.aidl生成的接口获得ActivityManagerService的代理。startService通过Binder机制，调用了服务器端AMS的startService方法。

/**
 * @hide
 */
@UnsupportedAppUsage
public static IActivityManager getService() {
    return IActivityManagerSingleton.get();
}

@UnsupportedAppUsage
private static final Singleton<IActivityManager> IActivityManagerSingleton =
        new Singleton<IActivityManager>() {
            @Override
            protected IActivityManager create() {
                final IBinder b = ServiceManager.getService(Context.ACTIVITY_SERVICE);
                //IAcitivityManager.aidl编译会生成相应的代理类和实现类
                final IActivityManager am = IActivityManager.Stub.asInterface(b);
                return am;
            }
        };

三、SystemServer端

5. AMS.startService

[->ActivityManagerService.java]

@Override
  public ComponentName startService(IApplicationThread caller, Intent service,
          String resolvedType, boolean requireForeground, String callingPackage, int userId)
          throws TransactionTooLargeException {
      //当调用进程是孤立进程时抛出异常，孤立进程uid为99000~99999
      enforceNotIsolatedCaller("startService");
      // Refuse possible leaked file descriptors
      if (service != null && service.hasFileDescriptors() == true) {
          throw new IllegalArgumentException("File descriptors passed in Intent");
      }

      if (callingPackage == null) {
          throw new IllegalArgumentException("callingPackage cannot be null");
      }

      if (DEBUG_SERVICE) Slog.v(TAG_SERVICE,
              "*** startService: " + service + " type=" + resolvedType + " fg=" + requireForeground);
      synchronized(this) {
          //调用者pid
          final int callingPid = Binder.getCallingPid();
          //调用者uid
          final int callingUid = Binder.getCallingUid();
          final long origId = Binder.clearCallingIdentity();
          ComponentName res;
          try {
              //mServices为ActiveServices对象
              res = mServices.startServiceLocked(caller, service,
                      resolvedType, callingPid, callingUid,
                      requireForeground, callingPackage, userId);
          } finally {
              Binder.restoreCallingIdentity(origId);
          }
          return res;
      }
  }

startServiceLocked方法参数说明：

caller：IApplicationThread类型

service：Intent类型，包含运行的Service信息

resolvedType：String类型

callingPid：调用者pid

callingUid：调用者uid

requireForeground：是否需要前台运行，前面传的是false

callingPackage：调用该方法的包名

userId：用户id

6. AS.startServiceLocked

[->ActiveServices.java]

ComponentName startServiceLocked(IApplicationThread caller, Intent service, String resolvedType,
          int callingPid, int callingUid, boolean fgRequired, String callingPackage, final int userId)
          throws TransactionTooLargeException {
      if (DEBUG_DELAYED_STARTS) Slog.v(TAG_SERVICE, "startService: " + service
              + " type=" + resolvedType + " args=" + service.getExtras());

      final boolean callerFg;
      if (caller != null) {
          //进程不存在抛出异常
          final ProcessRecord callerApp = mAm.getRecordForAppLocked(caller);
          if (callerApp == null) {
              throw new SecurityException(
                      "Unable to find app for caller " + caller
                      + " (pid=" + callingPid
                      + ") when starting service " + service);
          }
          callerFg = callerApp.setSchedGroup != ProcessList.SCHED_GROUP_BACKGROUND;
      } else {
          callerFg = true;
      }
      //检查服务信息
      ServiceLookupResult res =
          retrieveServiceLocked(service, resolvedType, callingPackage,
                  callingPid, callingUid, userId, true, callerFg, false, false);
      if (res == null) {
          return null;
      }
      if (res.record == null) {
          return new ComponentName("!", res.permission != null
                  ? res.permission : "private to package");
      }

      ServiceRecord r = res.record;
      //检查是否存在启动服务的user
      if (!mAm.mUserController.exists(r.userId)) {
          Slog.w(TAG, "Trying to start service with non-existent user! " + r.userId);
          return null;
      }

      //是否运行后台启动服务
      // If we're starting indirectly (e.g. from PendingIntent), figure out whether
      // we're launching into an app in a background state.  This keys off of the same
      // idleness state tracking as e.g. O+ background service start policy.
      final boolean bgLaunch = !mAm.isUidActiveLocked(r.appInfo.uid);

      // If the app has strict background restrictions, we treat any bg service
      // start analogously to the legacy-app forced-restrictions case, regardless
      // of its target SDK version.
      boolean forcedStandby = false;
      if (bgLaunch && appRestrictedAnyInBackground(r.appInfo.uid, r.packageName)) {
          if (DEBUG_FOREGROUND_SERVICE) {
              Slog.d(TAG, "Forcing bg-only service start only for " + r.shortName
                      + " : bgLaunch=" + bgLaunch + " callerFg=" + callerFg);
          }
          forcedStandby = true;
      }
      //如果是要求前台启动，则允许每个应用操作
      // If this is a direct-to-foreground start, make sure it is allowed as per the app op.
      boolean forceSilentAbort = false;
      if (fgRequired) {
          final int mode = mAm.mAppOpsService.checkOperation(
                  AppOpsManager.OP_START_FOREGROUND, r.appInfo.uid, r.packageName);
          switch (mode) {
              case AppOpsManager.MODE_ALLOWED:
              case AppOpsManager.MODE_DEFAULT:
                  // All okay.
                  break;
              case AppOpsManager.MODE_IGNORED:
                  // Not allowed, fall back to normal start service, failing siliently
                  // if background check restricts that.
                  Slog.w(TAG, "startForegroundService not allowed due to app op: service "
                          + service + " to " + r.name.flattenToShortString()
                          + " from pid=" + callingPid + " uid=" + callingUid
                          + " pkg=" + callingPackage);
                  fgRequired = false;
                  forceSilentAbort = true;
                  break;
              default:
                  return new ComponentName("!!", "foreground not allowed as per app op");
          }
      }
    
      //如果不是前台启动，则检查服务是否可以启动
      // If this isn't a direct-to-foreground start, check our ability to kick off an
      // arbitrary service
      if (forcedStandby || (!r.startRequested && !fgRequired)) {
          // Before going further -- if this app is not allowed to start services in the
          // background, then at this point we aren't going to let it period.
          final int allowed = mAm.getAppStartModeLocked(r.appInfo.uid, r.packageName,
                  r.appInfo.targetSdkVersion, callingPid, false, false, forcedStandby);
          if (allowed != ActivityManager.APP_START_MODE_NORMAL) {
              Slog.w(TAG, "Background start not allowed: service "
                      + service + " to " + r.name.flattenToShortString()
                      + " from pid=" + callingPid + " uid=" + callingUid
                      + " pkg=" + callingPackage + " startFg?=" + fgRequired);
              if (allowed == ActivityManager.APP_START_MODE_DELAYED || forceSilentAbort) {
                  // In this case we are silently disabling the app, to disrupt as
                  // little as possible existing apps.
                  return null;
              }
              if (forcedStandby) {
                  // This is an O+ app, but we might be here because the user has placed
                  // it under strict background restrictions.  Don't punish the app if it's
                  // trying to do the right thing but we're denying it for that reason.
                  if (fgRequired) {
                      if (DEBUG_BACKGROUND_CHECK) {
                          Slog.v(TAG, "Silently dropping foreground service launch due to FAS");
                      }
                      return null;
                  }
              }
              // This app knows it is in the new model where this operation is not
              // allowed, so tell it what has happened.
              UidRecord uidRec = mAm.mActiveUids.get(r.appInfo.uid);
              return new ComponentName("?", "app is in background uid " + uidRec);
          }
      }
     
      //前台服务判断，小于android10.0 则fgRequired为false
      // At this point we've applied allowed-to-start policy based on whether this was
      // an ordinary startService() or a startForegroundService().  Now, only require that
      // the app follow through on the startForegroundService() -> startForeground()
      // contract if it actually targets O+.
      if (r.appInfo.targetSdkVersion < Build.VERSION_CODES.O && fgRequired) {
          if (DEBUG_BACKGROUND_CHECK || DEBUG_FOREGROUND_SERVICE) {
              Slog.i(TAG, "startForegroundService() but host targets "
                      + r.appInfo.targetSdkVersion + " - not requiring startForeground()");
          }
          fgRequired = false;
      }

      NeededUriGrants neededGrants = mAm.checkGrantUriPermissionFromIntentLocked(
              callingUid, r.packageName, service, service.getFlags(), null, r.userId);
      //如果权限需要授权，则不启动服务
      // If permissions need a review before any of the app components can run,
      // we do not start the service and launch a review activity if the calling app
      // is in the foreground passing it a pending intent to start the service when
      // review is completed.
      if (mAm.mPermissionReviewRequired) {
          // XXX This is not dealing with fgRequired!
          if (!requestStartTargetPermissionsReviewIfNeededLocked(r, callingPackage,
                  callingUid, service, callerFg, userId)) {
              return null;
          }
      }

      if (unscheduleServiceRestartLocked(r, callingUid, false)) {
          if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "START SERVICE WHILE RESTART PENDING: " + r);
      }
      r.lastActivity = SystemClock.uptimeMillis();
      r.startRequested = true;
      r.delayedStop = false;
      r.fgRequired = fgRequired;
      r.pendingStarts.add(new ServiceRecord.StartItem(r, false, r.makeNextStartId(),
              service, neededGrants, callingUid));

      if (fgRequired) {
          // We are now effectively running a foreground service.
          mAm.mAppOpsService.startOperation(AppOpsManager.getToken(mAm.mAppOpsService),
                  AppOpsManager.OP_START_FOREGROUND, r.appInfo.uid, r.packageName, true);
      }

      final ServiceMap smap = getServiceMapLocked(r.userId);
      boolean addToStarting = false;
      //非前台服务的管理
      if (!callerFg && !fgRequired && r.app == null
              && mAm.mUserController.hasStartedUserState(r.userId)) {
          ProcessRecord proc = mAm.getProcessRecordLocked(r.processName, r.appInfo.uid, false);
          if (proc == null || proc.curProcState > ActivityManager.PROCESS_STATE_RECEIVER) {
              // If this is not coming from a foreground caller, then we may want
              // to delay the start if there are already other background services
              // that are starting.  This is to avoid process start spam when lots
              // of applications are all handling things like connectivity broadcasts.
              // We only do this for cached processes, because otherwise an application
              // can have assumptions about calling startService() for a service to run
              // in its own process, and for that process to not be killed before the
              // service is started.  This is especially the case for receivers, which
              // may start a service in onReceive() to do some additional work and have
              // initialized some global state as part of that.
              if (DEBUG_DELAYED_SERVICE) Slog.v(TAG_SERVICE, "Potential start delay of "
                      + r + " in " + proc);
              //如果延迟启动
              if (r.delayed) {
                  // This service is already scheduled for a delayed start; just leave
                  // it still waiting.
                  if (DEBUG_DELAYED_STARTS) Slog.v(TAG_SERVICE, "Continuing to delay: " + r);
                  return r.name;
              }
              //如果后台启动的服务数大于同一时间内启动的最大服务数，则加入延迟启动队列
              if (smap.mStartingBackground.size() >= mMaxStartingBackground) {
                  // Something else is starting, delay!
                  Slog.i(TAG_SERVICE, "Delaying start of: " + r);
                  smap.mDelayedStartList.add(r);
                  r.delayed = true;
                  return r.name;
              }
              if (DEBUG_DELAYED_STARTS) Slog.v(TAG_SERVICE, "Not delaying: " + r);
              addToStarting = true;
          } else if (proc.curProcState >= ActivityManager.PROCESS_STATE_SERVICE) {
              // We slightly loosen when we will enqueue this new service as a background
              // starting service we are waiting for, to also include processes that are
              // currently running other services or receivers.
              //将服务加入到后台启动队列
              addToStarting = true;
              if (DEBUG_DELAYED_STARTS) Slog.v(TAG_SERVICE,
                      "Not delaying, but counting as bg: " + r);
          } else if (DEBUG_DELAYED_STARTS) {
              StringBuilder sb = new StringBuilder(128);
              sb.append("Not potential delay (state=").append(proc.curProcState)
                      .append(' ').append(proc.adjType);
              String reason = proc.makeAdjReason();
              if (reason != null) {
                  sb.append(' ');
                  sb.append(reason);
              }
              sb.append("): ");
              sb.append(r.toString());
              Slog.v(TAG_SERVICE, sb.toString());
          }
      } else if (DEBUG_DELAYED_STARTS) {
          if (callerFg || fgRequired) {
              Slog.v(TAG_SERVICE, "Not potential delay (callerFg=" + callerFg + " uid="
                      + callingUid + " pid=" + callingPid + " fgRequired=" + fgRequired + "): " + r);
          } else if (r.app != null) {
              Slog.v(TAG_SERVICE, "Not potential delay (cur app=" + r.app + "): " + r);
          } else {
              Slog.v(TAG_SERVICE,
                      "Not potential delay (user " + r.userId + " not started): " + r);
          }
      }

      ComponentName cmp = startServiceInnerLocked(smap, service, r, callerFg, addToStarting);
      return cmp;
  }

可以看到，Android10.0对于后台服务的启动，要求更加的严格。如果allowed不等于APP_START_MODE_NORMAL，则后台服务将不允许被启动。

callerFg对用于标记前台还是后台，当发起方进程不等于SCHED_GROUP_BACKGROUND或者发起方为空，则callerFg= true，否则为false。

6.1 AMS.getAppStartModeLocked

[->ActivityManagerService.java]

int getAppStartModeLocked(int uid, String packageName, int packageTargetSdk,
          int callingPid, boolean alwaysRestrict, boolean disabledOnly, boolean forcedStandby) {
      UidRecord uidRec = mActiveUids.get(uid);
      if (DEBUG_BACKGROUND_CHECK) Slog.d(TAG, "checkAllowBackground: uid=" + uid + " pkg="
              + packageName + " rec=" + uidRec + " always=" + alwaysRestrict + " idle="
              + (uidRec != null ? uidRec.idle : false));
      //不进入这里则会被允许启动后台服务，否则将会进入下一步的检查
      if (uidRec == null || alwaysRestrict || forcedStandby || uidRec.idle) {
          boolean ephemeral;
          if (uidRec == null) {
              ephemeral = getPackageManagerInternalLocked().isPackageEphemeral(
                      UserHandle.getUserId(uid), packageName);
          } else {
              ephemeral = uidRec.ephemeral;
          }

          if (ephemeral) {
              // We are hard-core about ephemeral apps not running in the background.
              return ActivityManager.APP_START_MODE_DISABLED;
          } else {
              if (disabledOnly) {
                  // The caller is only interested in whether app starts are completely
                  // disabled for the given package (that is, it is an instant app).  So
                  // we don't need to go further, which is all just seeing if we should
                  // apply a "delayed" mode for a regular app.
                  return ActivityManager.APP_START_MODE_NORMAL;
              }
              //alwaysRestrict为上面传过来的callerFg
              final int startMode = (alwaysRestrict)
                      ? appRestrictedInBackgroundLocked(uid, packageName, packageTargetSdk)
                      : appServicesRestrictedInBackgroundLocked(uid, packageName,
                              packageTargetSdk);
              if (DEBUG_BACKGROUND_CHECK) {
                  Slog.d(TAG, "checkAllowBackground: uid=" + uid
                          + " pkg=" + packageName + " startMode=" + startMode
                          + " onwhitelist=" + isOnDeviceIdleWhitelistLocked(uid, false)
                          + " onwhitelist(ei)=" + isOnDeviceIdleWhitelistLocked(uid, true));
              }
              //延时模式下如果发起方的进行存在则还是可以启动
              if (startMode == ActivityManager.APP_START_MODE_DELAYED) {
                  // This is an old app that has been forced into a "compatible as possible"
                  // mode of background check.  To increase compatibility, we will allow other
                  // foreground apps to cause its services to start.
                  if (callingPid >= 0) {
                      ProcessRecord proc;
                      synchronized (mPidsSelfLocked) {
                          proc = mPidsSelfLocked.get(callingPid);
                      }
                      if (proc != null &&
                              !ActivityManager.isProcStateBackground(proc.curProcState)) {
                          // Whoever is instigating this is in the foreground, so we will allow it
                          // to go through.
                          return ActivityManager.APP_START_MODE_NORMAL;
                      }
                  }
              }
              return startMode;
          }
      }
      return ActivityManager.APP_START_MODE_NORMAL;
  }

getAppStartModeLocked方法获取是否允许是否后台启动，一般callerFg为false，从而会进行服务再一次判断，普通的服务会进入appServicesRestrictedInBackgroundLocked方法进行判断如下：

6.2 AMS.appServicesRestrictedInBackgroundLocked

[->ActivityManagerService.java]

// Service launch is available to apps with run-in-background exemptions but
// some other background operations are not.  If we're doing a check
// of service-launch policy, allow those callers to proceed unrestricted.
int appServicesRestrictedInBackgroundLocked(int uid, String packageName, int packageTargetSdk)    {
   // Persistent进程
   // Persistent app?
    if (mPackageManagerInt.isPackagePersistent(packageName)) {
        if (DEBUG_BACKGROUND_CHECK) {
            Slog.i(TAG, "App " + uid + "/" + packageName
                    + " is persistent; not restricted in background");
        }
        return ActivityManager.APP_START_MODE_NORMAL;
    }
    //uid白名单
    // Non-persistent but background whitelisted?
    if (uidOnBackgroundWhitelist(uid)) {
        if (DEBUG_BACKGROUND_CHECK) {
            Slog.i(TAG, "App " + uid + "/" + packageName
                    + " on background whitelist; not restricted in background");
        }
        return ActivityManager.APP_START_MODE_NORMAL;
    }
    //电池白名单
    // Is this app on the battery whitelist?
    if (isOnDeviceIdleWhitelistLocked(uid, /*allowExceptIdleToo=*/ false)) {
        if (DEBUG_BACKGROUND_CHECK) {
            Slog.i(TAG, "App " + uid + "/" + packageName
                    + " on idle whitelist; not restricted in background");
        }
        return ActivityManager.APP_START_MODE_NORMAL;
    }

    // None of the service-policy criteria apply, so we apply the common criteria
    return appRestrictedInBackgroundLocked(uid, packageName, packageTargetSdk);
}

可以看到对于persistent app、uid后台服务白名单、电池白名单里面都是可以启动后台服务的。

7. AS.startServiceInnerLocked

[->ActiveServices.java]

ComponentName startServiceInnerLocked(ServiceMap smap, Intent service, ServiceRecord r,
           boolean callerFg, boolean addToStarting) throws TransactionTooLargeException {
       ServiceState stracker = r.getTracker();
       if (stracker != null) {
           stracker.setStarted(true, mAm.mProcessStats.getMemFactorLocked(), r.lastActivity);
       }
       r.callStart = false;
       synchronized (r.stats.getBatteryStats()) {
           //用于耗电统计，开启允许状态
           r.stats.startRunningLocked();
       }
       String error = bringUpServiceLocked(r, service.getFlags(), callerFg, false, false);
       if (error != null) {
           return new ComponentName("!!", error);
       }

       if (r.startRequested && addToStarting) {
           boolean first = smap.mStartingBackground.size() == 0;
           smap.mStartingBackground.add(r);
           r.startingBgTimeout = SystemClock.uptimeMillis() + mAm.mConstants.BG_START_TIMEOUT;
           if (DEBUG_DELAYED_SERVICE) {
               RuntimeException here = new RuntimeException("here");
               here.fillInStackTrace();
               Slog.v(TAG_SERVICE, "Starting background (first=" + first + "): " + r, here);
           } else if (DEBUG_DELAYED_STARTS) {
               Slog.v(TAG_SERVICE, "Starting background (first=" + first + "): " + r);
           }
           if (first) {
               smap.rescheduleDelayedStartsLocked();
           }
       } else if (callerFg || r.fgRequired) {
           smap.ensureNotStartingBackgroundLocked(r);
       }

       return r.name;
   }

8.AS.bringUpServiceLocked

[->ActiveServices.java]

private String bringUpServiceLocked(ServiceRecord r, int intentFlags, boolean execInFg,
           boolean whileRestarting, boolean permissionsReviewRequired)
           throws TransactionTooLargeException {
       //Slog.i(TAG, "Bring up service:");
       //r.dump("  ");

       if (r.app != null && r.app.thread != null) {
           //调用service.onStartCommand过程
           sendServiceArgsLocked(r, execInFg, false);
           return null;
       }

       if (!whileRestarting && mRestartingServices.contains(r)) {
           //等待延迟重启的过程则直接返回
           // If waiting for a restart, then do nothing.
           return null;
       }

       if (DEBUG_SERVICE) {
           Slog.v(TAG_SERVICE, "Bringing up " + r + " " + r.intent + " fg=" + r.fgRequired);
       }
       //启动service前，把service从启动服务队列中移除
       // We are now bringing the service up, so no longer in the
       // restarting state.
       if (mRestartingServices.remove(r)) {
           clearRestartingIfNeededLocked(r);
       }
       //service正在启动，将delayed设置为false
       // Make sure this service is no longer considered delayed, we are starting it now.
       if (r.delayed) {
           if (DEBUG_DELAYED_STARTS) Slog.v(TAG_SERVICE, "REM FR DELAY LIST (bring up): " + r);
           getServiceMapLocked(r.userId).mDelayedStartList.remove(r);
           r.delayed = false;
       }
       //确保拥有服务的user已经启动，否则停止服务
       // Make sure that the user who owns this service is started.  If not,
       // we don't want to allow it to run.
       if (!mAm.mUserController.hasStartedUserState(r.userId)) {
           String msg = "Unable to launch app "
                   + r.appInfo.packageName + "/"
                   + r.appInfo.uid + " for service "
                   + r.intent.getIntent() + ": user " + r.userId + " is stopped";
           Slog.w(TAG, msg);
           bringDownServiceLocked(r);
           return msg;
       }
       //服务正在启动，设置package停止状态为false
       // Service is now being launched, its package can't be stopped.
       try {
           AppGlobals.getPackageManager().setPackageStoppedState(
                   r.packageName, false, r.userId);
       } catch (RemoteException e) {
       } catch (IllegalArgumentException e) {
           Slog.w(TAG, "Failed trying to unstop package "
                   + r.packageName + ": " + e);
       }
       
       final boolean isolated = (r.serviceInfo.flags&ServiceInfo.FLAG_ISOLATED_PROCESS) != 0;
       final String procName = r.processName;
       String hostingType = "service";
       ProcessRecord app;
       //如果不是孤立进程
       if (!isolated) {
           //根据uid和pid查询ProcessRecord
           app = mAm.getProcessRecordLocked(procName, r.appInfo.uid, false);
           if (DEBUG_MU) Slog.v(TAG_MU, "bringUpServiceLocked: appInfo.uid=" + r.appInfo.uid
                       + " app=" + app);
           if (app != null && app.thread != null) {
               try {
                   app.addPackage(r.appInfo.packageName, r.appInfo.longVersionCode, mAm.mProcessStats);
                   //启动服务
                   realStartServiceLocked(r, app, execInFg);
                   return null;
               } catch (TransactionTooLargeException e) {
                   throw e;
               } catch (RemoteException e) {
                   Slog.w(TAG, "Exception when starting service " + r.shortName, e);
               }

               // If a dead object exception was thrown -- fall through to
               // restart the application.
           }
       } else {
           // If this service runs in an isolated process, then each time
           // we call startProcessLocked() we will get a new isolated
           // process, starting another process if we are currently waiting
           // for a previous process to come up.  To deal with this, we store
           // in the service any current isolated process it is running in or
           // waiting to have come up.
           app = r.isolatedProc;
           if (WebViewZygote.isMultiprocessEnabled()
                   && r.serviceInfo.packageName.equals(WebViewZygote.getPackageName())) {
               hostingType = "webview_service";
           }
       }
       //对于服务进程没有启动的情况
       // Not running -- get it started, and enqueue this service record
       // to be executed when the app comes up.
       if (app == null && !permissionsReviewRequired) {
           //启动服务所需要的进程
           if ((app=mAm.startProcessLocked(procName, r.appInfo, true, intentFlags,
                   hostingType, r.name, false, isolated, false)) == null) {
               String msg = "Unable to launch app "
                       + r.appInfo.packageName + "/"
                       + r.appInfo.uid + " for service "
                       + r.intent.getIntent() + ": process is bad";
               Slog.w(TAG, msg);
               //进程启动失败
               bringDownServiceLocked(r);
               return msg;
           }
           if (isolated) {
               r.isolatedProc = app;
           }
       }

       if (r.fgRequired) {
           if (DEBUG_FOREGROUND_SERVICE) {
               Slog.v(TAG, "Whitelisting " + UserHandle.formatUid(r.appInfo.uid)
                       + " for fg-service launch");
           }
           mAm.tempWhitelistUidLocked(r.appInfo.uid,
                   SERVICE_START_FOREGROUND_TIMEOUT, "fg-service-launch");
       }

       if (!mPendingServices.contains(r)) {
           mPendingServices.add(r);
       }

       if (r.delayedStop) {
           // Oh and hey we've already been asked to stop!
           r.delayedStop = false;
           if (r.startRequested) {
               if (DEBUG_DELAYED_STARTS) Slog.v(TAG_SERVICE,
                       "Applying delayed stop (in bring up): " + r);
               //停止服务
               stopServiceLocked(r);
           }
       }

       return null;
   }

当目标进程已经存在，则直接执行realStartServiceLocked

当目标进程不存在，则先执行startProcessLocked创建进程，经过层层调用最后会调用到AMS.attachApplicationLocked,然后再执行realStartServiceLocked。

对于非前台进程调用而需要启动的服务，如果已经有其他的后台服务正在启动，则可能希望延迟其启动，从而避免同时启动过多的进程（非必须）。

8.1 AMS.attachApplicationLocked

[->ActivityManagerService.java]

@GuardedBy("this")
   private final boolean attachApplicationLocked(IApplicationThread thread,
           int pid, int callingUid, long startSeq) {
       ...
       thread.bindApplication(processName, appInfo, providers,
                       app.instr.mClass,
                       profilerInfo, app.instr.mArguments,
                       app.instr.mWatcher,
                       app.instr.mUiAutomationConnection, testMode,
                       mBinderTransactionTrackingEnabled, enableTrackAllocation,
                       isRestrictedBackupMode || !normalMode, app.persistent,
                       new Configuration(getGlobalConfiguration()), app.compat,
                       getCommonServicesLocked(app.isolated),
                       mCoreSettingsObserver.getCoreSettingsLocked(),
                       buildSerial, isAutofillCompatEnabled);
       
       //寻找所有需要在该进程中运行的服务
       // Find any services that should be running in this process...
       if (!badApp) {
           try {
               didSomething |= mServices.attachApplicationLocked(app, processName);
               checkTime(startTime, "attachApplicationLocked: after mServices.attachApplicationLocked");
           } catch (Exception e) {
               Slog.wtf(TAG, "Exception thrown starting services in " + app, e);
               badApp = true;
           }
       }
       ...
       return true;
   }

8.2 AS.attachApplicationLocked

[->ActiveServices.java]

boolean attachApplicationLocked(ProcessRecord proc, String processName)
          throws RemoteException {
      boolean didSomething = false;
      //启动mPendingServices队列中，等待在该进程启动的服务
      // Collect any services that are waiting for this process to come up.
      if (mPendingServices.size() > 0) {
          ServiceRecord sr = null;
          try {
              for (int i=0; i<mPendingServices.size(); i++) {
                  sr = mPendingServices.get(i);
                  if (proc != sr.isolatedProc && (proc.uid != sr.appInfo.uid
                          || !processName.equals(sr.processName))) {
                      continue;
                  }

                  mPendingServices.remove(i);
                  i--;
                  //将当前服务的包信息加入到proc
                  proc.addPackage(sr.appInfo.packageName, sr.appInfo.longVersionCode,
                          mAm.mProcessStats);
                  //启动服务        
                  realStartServiceLocked(sr, proc, sr.createdFromFg);
                  didSomething = true;
                  if (!isServiceNeededLocked(sr, false, false)) {
                      // We were waiting for this service to start, but it is actually no
                      // longer needed.  This could happen because bringDownServiceIfNeeded
                      // won't bring down a service that is pending...  so now the pending
                      // is done, so let's drop it.
                      bringDownServiceLocked(sr);
                  }
              }
          } catch (RemoteException e) {
              Slog.w(TAG, "Exception in new application when starting service "
                      + sr.shortName, e);
              throw e;
          }
      }
      //对于正在等待重启并需要运行在该进程中的服务，现在是启动的好时机
      // Also, if there are any services that are waiting to restart and
      // would run in this process, now is a good time to start them.  It would
      // be weird to bring up the process but arbitrarily not let the services
      // run at this point just because their restart time hasn't come up.
      if (mRestartingServices.size() > 0) {
          ServiceRecord sr;
          for (int i=0; i<mRestartingServices.size(); i++) {
              sr = mRestartingServices.get(i);
              if (proc != sr.isolatedProc && (proc.uid != sr.appInfo.uid
                      || !processName.equals(sr.processName))) {
                  continue;
              }
              mAm.mHandler.removeCallbacks(sr.restarter);
              mAm.mHandler.post(sr.restarter);
          }
      }
      return didSomething;
  }

9.AS.realStartServiceLocked

[->ActiveServices.java]

private final void realStartServiceLocked(ServiceRecord r,
            ProcessRecord app, boolean execInFg) throws RemoteException {
        if (app.thread == null) {
            throw new RemoteException();
        }
        if (DEBUG_MU)
            Slog.v(TAG_MU, "realStartServiceLocked, ServiceRecord.uid = " + r.appInfo.uid
                    + ", ProcessRecord.uid = " + app.uid);
        r.app = app;
        r.restartTime = r.lastActivity = SystemClock.uptimeMillis();

        final boolean newService = app.services.add(r);
        //发送delay消息
        bumpServiceExecutingLocked(r, execInFg, "create");
        mAm.updateLruProcessLocked(app, false, null);
        updateServiceForegroundLocked(r.app, /* oomAdj= */ false);
        mAm.updateOomAdjLocked();

        boolean created = false;
        try {
            if (LOG_SERVICE_START_STOP) {
                String nameTerm;
                int lastPeriod = r.shortName.lastIndexOf('.');
                nameTerm = lastPeriod >= 0 ? r.shortName.substring(lastPeriod) : r.shortName;
                EventLogTags.writeAmCreateService(
                        r.userId, System.identityHashCode(r), nameTerm, r.app.uid, r.app.pid);
            }
            synchronized (r.stats.getBatteryStats()) {
                r.stats.startLaunchedLocked();
            }
            mAm.notifyPackageUse(r.serviceInfo.packageName,
                                 PackageManager.NOTIFY_PACKAGE_USE_SERVICE);
            app.forceProcessStateUpTo(ActivityManager.PROCESS_STATE_SERVICE);
            //服务进入onCreate
            app.thread.scheduleCreateService(r, r.serviceInfo,
                    mAm.compatibilityInfoForPackageLocked(r.serviceInfo.applicationInfo),
                    app.repProcState);
            r.postNotification();
            created = true;
        } catch (DeadObjectException e) {
            //应用死亡处理
            Slog.w(TAG, "Application dead when creating service " + r);
            mAm.appDiedLocked(app);
            throw e;
        } finally {
            if (!created) {
                // Keep the executeNesting count accurate.
                final boolean inDestroying = mDestroyingServices.contains(r);
                serviceDoneExecutingLocked(r, inDestroying, inDestroying);
                // Cleanup.
                if (newService) {
                    app.services.remove(r);
                    r.app = null;
                }

                // Retry.
                if (!inDestroying) {
                    scheduleServiceRestartLocked(r, false);
                }
            }
        }

        if (r.whitelistManager) {
            app.whitelistManager = true;
        }
        requestServiceBindingsLocked(r, execInFg);
        updateServiceClientActivitiesLocked(app, null, true);
        // If the service is in the started state, and there are no
        // pending arguments, then fake up one so its onStartCommand() will
        // be called.
        if (r.startRequested && r.callStart && r.pendingStarts.size() == 0) {
            r.pendingStarts.add(new ServiceRecord.StartItem(r, false, r.makeNextStartId(),
                    null, null, 0));
        }
        //服务进入onStartCommand
        sendServiceArgsLocked(r, execInFg, true);

        if (r.delayed) {
            if (DEBUG_DELAYED_STARTS) Slog.v(TAG_SERVICE, "REM FR DELAY LIST (new proc): " + r);
            getServiceMapLocked(r.userId).mDelayedStartList.remove(r);
            r.delayed = false;
        }

        if (r.delayedStop) {
            // Oh and hey we've already been asked to stop!
            r.delayedStop = false;
            if (r.startRequested) {
                //停止服务
                if (DEBUG_DELAYED_STARTS) Slog.v(TAG_SERVICE,
                        "Applying delayed stop (from start): " + r);
                stopServiceLocked(r);
            }
        }
    }

bumpServiceExecutingLocked会发送一个延迟处理的消息SERVICE_TIMEOUT_MSG。在方法scheduleCreateService执行完成，如果onCreate回调执行完成后，便会remove掉该消息。但如果没有在延时的时间内移除掉消息，则会进入到service timeout流程

9.1 AS.bumpServiceExecutingLocked

[->ActiveServices.java]

private final void bumpServiceExecutingLocked(ServiceRecord r, boolean fg, String why) {
       if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, ">>> EXECUTING "
               + why + " of " + r + " in app " + r.app);
       else if (DEBUG_SERVICE_EXECUTING) Slog.v(TAG_SERVICE_EXECUTING, ">>> EXECUTING "
               + why + " of " + r.shortName);

       // For b/34123235: Services within the system server won't start until SystemServer
       // does Looper.loop(), so we shouldn't try to start/bind to them too early in the boot
       // process. However, since there's a little point of showing the ANR dialog in that case,
       // let's suppress the timeout until PHASE_THIRD_PARTY_APPS_CAN_START.
       //
       // (Note there are multiple services start at PHASE_THIRD_PARTY_APPS_CAN_START too,
       // which technically could also trigger this timeout if there's a system server
       // that takes a long time to handle PHASE_THIRD_PARTY_APPS_CAN_START, but that shouldn't
       // happen.)
       boolean timeoutNeeded = true;
       if ((mAm.mBootPhase < SystemService.PHASE_THIRD_PARTY_APPS_CAN_START)
               && (r.app != null) && (r.app.pid == android.os.Process.myPid())) {
           //SystemServer还未进入到PHASE_THIRD_PARTY_APPS_CAN_START状态，则不能启动服务
           Slog.w(TAG, "Too early to start/bind service in system_server: Phase=" + mAm.mBootPhase
                   + " " + r.getComponentName());
           timeoutNeeded = false;
       }

       long now = SystemClock.uptimeMillis();
       if (r.executeNesting == 0) {
           r.executeFg = fg;
           ServiceState stracker = r.getTracker();
           if (stracker != null) {
               stracker.setExecuting(true, mAm.mProcessStats.getMemFactorLocked(), now);
           }
           if (r.app != null) {
               r.app.executingServices.add(r);
               r.app.execServicesFg |= fg;
               if (timeoutNeeded && r.app.executingServices.size() == 1) {
                   scheduleServiceTimeoutLocked(r.app);
               }
           }
       } else if (r.app != null && fg && !r.app.execServicesFg) {
           r.app.execServicesFg = true;
           if (timeoutNeeded) {
               scheduleServiceTimeoutLocked(r.app);
           }
       }
       r.executeFg |= fg;
       r.executeNesting++;
       r.executingStart = now;
   }

9.2 AS.scheduleServiceTimeoutLocked

[->ActiveServices.java]

void scheduleServiceTimeoutLocked(ProcessRecord proc) {
       if (proc.executingServices.size() == 0 || proc.thread == null) {
           return;
       }
       Message msg = mAm.mHandler.obtainMessage(
               ActivityManagerService.SERVICE_TIMEOUT_MSG);
       msg.obj = proc;
       //超时后还没有移除SERVICE_TIMEOUT_MSG消息，则执行SERVICE_TIMEOUT流程
       mAm.mHandler.sendMessageDelayed(msg,
               proc.execServicesFg ? SERVICE_TIMEOUT : SERVICE_BACKGROUND_TIMEOUT);
   }

发送延迟消息SERVICE_TIMEOUT_MSG：

• 对于前台服务，则超时为SERVICE_TIMEOUT=20s

• 对于后台服务，则超时为SERVICE_BACKGROUND_TIMEOUT=SERVICE_TIMEOUT * 10

app.thread.scheduleCreateService通过Binder机制调用，IApplicationThread.aidl在编译时会生成代理类和实现类。通过IApplicationThread代理，调用到目标进程端的scheduleCreateService具体实现。

四、目标进程端

10.AT.scheduleCreateService

[->ActivityThread.java]

public final void scheduleCreateService(IBinder token,
              ServiceInfo info, CompatibilityInfo compatInfo, int processState) {
          updateProcessState(processState, false);
          CreateServiceData s = new CreateServiceData();
          s.token = token;
          s.info = info;
          s.compatInfo = compatInfo;
          sendMessage(H.CREATE_SERVICE, s);
 }

该方法执行在ActivityThread线程。

10.1 AT.handleMessage

[->ActivityThread.java]

public void handleMessage(Message msg) {
     ...
              case CREATE_SERVICE:
                    handleCreateService((CreateServiceData)msg.obj);
                    break;
               case BIND_SERVICE:
                   handleBindService((BindServiceData)msg.obj);
                   break;
               case UNBIND_SERVICE:
                   handleUnbindService((BindServiceData)msg.obj);
                   schedulePurgeIdler();
                   break;
               case SERVICE_ARGS:
                   handleServiceArgs((ServiceArgsData)msg.obj);//onStartCommand
                   break;
               case STOP_SERVICE:
                   handleStopService((IBinder)msg.obj);
                   schedulePurgeIdler();
                   break;
      ...    
  }

11.AT.handleCreateService

[->ActivityThread.java]

@UnsupportedAppUsage
private void handleCreateService(CreateServiceData data) {
    //当应用处于后台即将进行gc,而此时回调到活动状态，则跳过本次gc
    // If we are getting ready to gc after going to the background, well
    // we are back active so skip it.
    unscheduleGcIdler();
    LoadedApk packageInfo = getPackageInfoNoCheck(
            data.info.applicationInfo, data.compatInfo);
    Service service = null;
    //通过反射创建目标服务对象
    try {
        java.lang.ClassLoader cl = packageInfo.getClassLoader();
        service = packageInfo.getAppFactory()
                .instantiateService(cl, data.info.name, data.intent);
    } catch (Exception e) {
        if (!mInstrumentation.onException(service, e)) {
            throw new RuntimeException(
                "Unable to instantiate service " + data.info.name
                + ": " + e.toString(), e);
        }
    }

    try {
        if (localLOGV) Slog.v(TAG, "Creating service " + data.info.name);
        //创建ContextImpl
        ContextImpl context = ContextImpl.createAppContext(this, packageInfo);
        context.setOuterContext(service);
       
        //创建Application
        Application app = packageInfo.makeApplication(false, mInstrumentation);
        service.attach(context, this, data.info.name, data.token, app,
                ActivityManager.getService());
        //调用服务onCreate方法       
        service.onCreate();
        mServices.put(data.token, service);
        //调用服务创建完成
        try {
            ActivityManager.getService().serviceDoneExecuting(
                    data.token, SERVICE_DONE_EXECUTING_ANON, 0, 0);
        } catch (RemoteException e) {
            throw e.rethrowFromSystemServer();
        }
    } catch (Exception e) {
        if (!mInstrumentation.onException(service, e)) {
            throw new RuntimeException(
                "Unable to create service " + data.info.name
                + ": " + e.toString(), e);
        }
    }
}

11.1 Service.onCreate

[->Service.java]

public abstract class Service extends ContextWrapper implements ComponentCallbacks2 {
   /**
    * Called by the system when the service is first created.  Do not call this method directly.
    */
   public void onCreate() {
   }
 }

最终调用到了Service.onCreate方法，对于目标服务一般都是继承Service，并且覆写onCreate方法，到此终于进入到了Service的生命周期。

12.AMS.serviceDoneExecuting

[->ActivityManagerService.java]

public void serviceDoneExecuting(IBinder token, int type, int startId, int res) {
       synchronized(this) {
           if (!(token instanceof ServiceRecord)) {
               Slog.e(TAG, "serviceDoneExecuting: Invalid service token=" + token);
               throw new IllegalArgumentException("Invalid service token");
           }
           mServices.serviceDoneExecutingLocked((ServiceRecord)token, type, startId, res);
       }
   }

由流程9.1 bumpServiceExecutingLocked方法发送了一个延时消息SERVICE_TIMEOUT_MSG，现在onCreate执行完成，那么就需要移除该消息，否则会报超时。

12.1 AS.serviceDoneExecutingLocked

[->ActiveServices.java]

void serviceDoneExecutingLocked(ServiceRecord r, int type, int startId, int res) {
       boolean inDestroying = mDestroyingServices.contains(r);
       if (r != null) {
           if (type == ActivityThread.SERVICE_DONE_EXECUTING_START) {
               // This is a call from a service start...  take care of
               // book-keeping.
               r.callStart = true;
               //onStartCommand返回值的处理
               switch (res) {
                   case Service.START_STICKY_COMPATIBILITY:
                   case Service.START_STICKY: {
                       // We are done with the associated start arguments.
                       r.findDeliveredStart(startId, false, true);
                       // Don't stop if killed.
                       r.stopIfKilled = false;
                       break;
                   }
                   case Service.START_NOT_STICKY: {
                       // We are done with the associated start arguments.
                       r.findDeliveredStart(startId, false, true);
                       if (r.getLastStartId() == startId) {
                           // There is no more work, and this service
                           // doesn't want to hang around if killed.
                           r.stopIfKilled = true;
                       }
                       break;
                   }
                   case Service.START_REDELIVER_INTENT: {
                       // We'll keep this item until they explicitly
                       // call stop for it, but keep track of the fact
                       // that it was delivered.
                       ServiceRecord.StartItem si = r.findDeliveredStart(startId, false, false);
                       if (si != null) {
                           si.deliveryCount = 0;
                           si.doneExecutingCount++;
                           // Don't stop if killed.
                           r.stopIfKilled = true;
                       }
                       break;
                   }
                   case Service.START_TASK_REMOVED_COMPLETE: {
                       // Special processing for onTaskRemoved().  Don't
                       // impact normal onStartCommand() processing.
                       r.findDeliveredStart(startId, true, true);
                       break;
                   }
                   default:
                       throw new IllegalArgumentException(
                               "Unknown service start result: " + res);
               }
               if (res == Service.START_STICKY_COMPATIBILITY) {
                   r.callStart = false;
               }
           } else if (type == ActivityThread.SERVICE_DONE_EXECUTING_STOP) {
               // This is the final call from destroying the service...  we should
               // actually be getting rid of the service at this point.  Do some
               // validation of its state, and ensure it will be fully removed.
               if (!inDestroying) {
                   // Not sure what else to do with this...  if it is not actually in the
                   // destroying list, we don't need to make sure to remove it from it.
                   // If the app is null, then it was probably removed because the process died,
                   // otherwise wtf
                   if (r.app != null) {
                       Slog.w(TAG, "Service done with onDestroy, but not inDestroying: "
                               + r + ", app=" + r.app);
                   }
               } else if (r.executeNesting != 1) {
                   Slog.w(TAG, "Service done with onDestroy, but executeNesting="
                           + r.executeNesting + ": " + r);
                   // Fake it to keep from ANR due to orphaned entry.
                   r.executeNesting = 1;
               }
           }
           final long origId = Binder.clearCallingIdentity();
           //如下
           serviceDoneExecutingLocked(r, inDestroying, inDestroying);
           Binder.restoreCallingIdentity(origId);
       } else {
           Slog.w(TAG, "Done executing unknown service from pid "
                   + Binder.getCallingPid());
       }
   }

12.2 AS.serviceDoneExecutingLocked

[->ActiveServices.java]

private void serviceDoneExecutingLocked(ServiceRecord r, boolean inDestroying,
           boolean finishing) {
       if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "<<< DONE EXECUTING " + r
               + ": nesting=" + r.executeNesting
               + ", inDestroying=" + inDestroying + ", app=" + r.app);
       else if (DEBUG_SERVICE_EXECUTING) Slog.v(TAG_SERVICE_EXECUTING,
               "<<< DONE EXECUTING " + r.shortName);
       r.executeNesting--;
       if (r.executeNesting <= 0) {
           if (r.app != null) {
               if (DEBUG_SERVICE) Slog.v(TAG_SERVICE,
                       "Nesting at 0 of " + r.shortName);
               r.app.execServicesFg = false;
               r.app.executingServices.remove(r);
               if (r.app.executingServices.size() == 0) {
                   //移除SERVICE_TIMEOUT_MSG消息
                   if (DEBUG_SERVICE || DEBUG_SERVICE_EXECUTING) Slog.v(TAG_SERVICE_EXECUTING,
                           "No more executingServices of " + r.shortName);
                   mAm.mHandler.removeMessages(ActivityManagerService.SERVICE_TIMEOUT_MSG, r.app);
               } else if (r.executeFg) {
                   // Need to re-evaluate whether the app still needs to be in the foreground.
                   for (int i=r.app.executingServices.size()-1; i>=0; i--) {
                       if (r.app.executingServices.valueAt(i).executeFg) {
                           r.app.execServicesFg = true;
                           break;
                       }
                   }
               }
               if (inDestroying) {
                   if (DEBUG_SERVICE) Slog.v(TAG_SERVICE,
                           "doneExecuting remove destroying " + r);
                   mDestroyingServices.remove(r);
                   r.bindings.clear();
               }
               //更新adj
               mAm.updateOomAdjLocked(r.app, true);
           }
           r.executeFg = false;
           if (r.tracker != null) {
               r.tracker.setExecuting(false, mAm.mProcessStats.getMemFactorLocked(),
                       SystemClock.uptimeMillis());
               if (finishing) {
                   r.tracker.clearCurrentOwner(r, false);
                   r.tracker = null;
               }
           }
           if (finishing) {
               if (r.app != null && !r.app.persistent) {
                   r.app.services.remove(r);
                   if (r.whitelistManager) {
                       updateWhitelistManagerLocked(r.app);
                   }
               }
               r.app = null;
           }
       }
   }

该方法将会移除SERVICE_TIMEOUT_MSG消息。Service启动过程出现ANR，会发送超时serviceRecord消息，这通常是onCreate的回调方法过长导致。

realStartServiceLocked方法，在完成onCreate操作时，后面进入到了onStartCoomnad方法.

13.AS.sendServiceArgsLocked

[->ActiveServices.java]

private final void sendServiceArgsLocked(ServiceRecord r, boolean execInFg,
           boolean oomAdjusted) throws TransactionTooLargeException {
       final int N = r.pendingStarts.size();
       if (N == 0) {
           return;
       }
       ArrayList<ServiceStartArgs> args = new ArrayList<>();
       while (r.pendingStarts.size() > 0) {
           ServiceRecord.StartItem si = r.pendingStarts.remove(0);
           if (DEBUG_SERVICE) {
               Slog.v(TAG_SERVICE, "Sending arguments to: "
                       + r + " " + r.intent + " args=" + si.intent);
           }
           if (si.intent == null && N > 1) {
               // If somehow we got a dummy null intent in the middle,
               // then skip it.  DO NOT skip a null intent when it is
               // the only one in the list -- this is to support the
               // onStartCommand(null) case.
               continue;
           }
           si.deliveredTime = SystemClock.uptimeMillis();
           r.deliveredStarts.add(si);
           si.deliveryCount++;
           if (si.neededGrants != null) {
               mAm.grantUriPermissionUncheckedFromIntentLocked(si.neededGrants,
                       si.getUriPermissionsLocked());
           }
           mAm.grantEphemeralAccessLocked(r.userId, si.intent,
                   r.appInfo.uid, UserHandle.getAppId(si.callingId));
           //标记启动开始，同上
           bumpServiceExecutingLocked(r, execInFg, "start");
           if (!oomAdjusted) {
               oomAdjusted = true;
               mAm.updateOomAdjLocked(r.app, true);
           }
           if (r.fgRequired && !r.fgWaiting) {
               if (!r.isForeground) {
                   if (DEBUG_BACKGROUND_CHECK) {
                       Slog.i(TAG, "Launched service must call startForeground() within timeout: " + r);
                   }
                   scheduleServiceForegroundTransitionTimeoutLocked(r);
               } else {
                   if (DEBUG_BACKGROUND_CHECK) {
                       Slog.i(TAG, "Service already foreground; no new timeout: " + r);
                   }
                   r.fgRequired = false;
               }
           }
           int flags = 0;
           if (si.deliveryCount > 1) {
               flags |= Service.START_FLAG_RETRY;
           }
           if (si.doneExecutingCount > 0) {
               flags |= Service.START_FLAG_REDELIVERY;
           }
           args.add(new ServiceStartArgs(si.taskRemoved, si.id, flags, si.intent));
       }

       ParceledListSlice<ServiceStartArgs> slice = new ParceledListSlice<>(args);
       slice.setInlineCountLimit(4);
       Exception caughtException = null;
       try {
           //流程同onCreate，最后回调onStartCommand
           r.app.thread.scheduleServiceArgs(r, slice);
       } catch (TransactionTooLargeException e) {
           if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "Transaction too large for " + args.size()
                   + " args, first: " + args.get(0).args);
           Slog.w(TAG, "Failed delivering service starts", e);
           caughtException = e;
       } catch (RemoteException e) {
           // Remote process gone...  we'll let the normal cleanup take care of this.
           if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "Crashed while sending args: " + r);
           Slog.w(TAG, "Failed delivering service starts", e);
           caughtException = e;
       } catch (Exception e) {
           Slog.w(TAG, "Unexpected exception", e);
           caughtException = e;
       }

       if (caughtException != null) {
           // Keep nesting count correct
           final boolean inDestroying = mDestroyingServices.contains(r);
           for (int i = 0; i < args.size(); i++) {
               serviceDoneExecutingLocked(r, inDestroying, inDestroying);
           }
           if (caughtException instanceof TransactionTooLargeException) {
               throw (TransactionTooLargeException)caughtException;
           }
       }
   }

realStartServiceLocked先后执行的方法如下：

执行scheduleCreateService方法，通过层层回调到Service.onCreate;

执行scheduleServiceArgs方法，通过层层回调到Service.onStartCommand，流程同onCreate.

五、总结

整个startService过程，从进程角度来看服务启动的过程

process A进程：是指调用startService方法所在的进程，也就是启动服务的发起端进程，如：桌面上点击图标，此处Process A就是Launcher所在的进程。

system_server进程：里面运行着大量的系统服务，如AMS,是运行在system_server不同的线程中，基于Binder接口，binder线程的创建与销毁都是由Binder驱动来决定的，每个进程的binder线程个数上线为16

Zygote进程：是由init进程孵化而来，用于创建java层进程的母体，所有的java层进程都是由Zygote进程孵化而来。

Remote Service进程：远程服务所在的进程，是由zygote进程孵化而来，用于运行Remote服务进程。主线程主要是负责Activity/Service等组件的生命周期以及UI相关的操作；另外，每个app进程至少会有两个binder线程，ApplicationThread和ActivityManagerService的代理。

上面涉及到IPC通信的三种方式，Binder、Socket、Handler。一般来说，同一进程内的线程间通信采用Handler消息队列机制，不同进程间的通信采用Binder机制，另外与Zygote通信采用Socket。

启动流程：

1.Process A进程采用Binder IPC向system_server进程发起startService请求

2.system_server进程接收到请求后，向zygote进程发送创建进程的请求

3.zygote进程fork出新的子进程Remote Service进程

4.RemoteService进程通过Binder IPC向system_server进程发起attachApplication请求

5.system_server进程收到请求后，进行一序列准备工作后，再通过Binder IPC向remote sevice进程发送scheduleCreateService请求

6.Remote Service进程的binder线程收到请求后，通过handler向主线程发送CREATE_SERVICE消息

7.主线程收到消息后，通过反射机制创建目标Service，并回调Service.onCreate方法。

到此，服务就正式启动了。当创建的是本地服务或者服务所属进程已经创建，则无需经过步骤2,3直接创建服务即可。

附录

源码路径

frameworks/base/core/java/android/app/IActivityManager.aidl
frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java
frameworks/base/core/java/android/app/ActivityThread.java
frameworks/base/services/core/java/com/android/server/am/ActiveServices.java
frameworks/base/core/java/android/app/IApplicationThread.aidl