Chromium學習筆記：程序啟動入口分析（Windows）

轉自：Chromium學習筆記：程序啟動入口分析（Windows）

以下筆記內容均為Windows版本。

本篇筆記跟蹤記錄了Chromium的啟動過程，主要關注 Browser 進程和 Renderer 進程。根據 Chromium 項目的分層設計，我們把 Content API 稱作為 Content 層，而把調用 Content API 實現瀏覽器程序的部分稱作為 Embedder 層。在項目中，Embedder 層有 chrome、content_shell 等多種實現。

1、main() 函數

Chromium的main函數在 chrome\app\chrome_exe_main_win.cc，具體如下：

// chrome\app\chrome_exe_main_win.cc

#if !defined(WIN_CONSOLE_APP)
int APIENTRY wWinMain(HINSTANCE instance, HINSTANCE prev, wchar_t*, int) {
#else
int main() {
 HINSTANCE instance = GetModuleHandle(nullptr);
#endif
 install_static::InitializeFromPrimaryModule();
 SignalInitializeCrashReporting();

 ......

 // Load and launch the chrome dll. *Everything* happens inside.
 VLOG(1) << "About to load main DLL.";
 MainDllLoader* loader = MakeMainDllLoader();
 int rc = loader->Launch(instance, exe_entry_point_ticks);
 loader->RelaunchChromeBrowserWithNewCommandLineIfNeeded();
 delete loader;
 return rc;
}

在main函數中，最重要的一步，就是 int rc = loader->Launch(instance, exe_entry_point_ticks); 載入 chrome.dll運行。

2、載入 chrome.dll

在這里首先調用了 MakeMainDllLoader() 函數，這是一個靜態函數，在chrome\app\main_dll_loader.cc 中，內容如下：

// chrome\app\main_dll_loader.cc

MainDllLoader* MakeMainDllLoader() {
#if defined(GOOGLE_CHROME_BUILD)
 return new ChromeDllLoader();
#else
 return new ChromiumDllLoader();
#endif
}

函數創建並返回一個 ChromiumDllLoader，緊接着再調用它的 Launch 函數，內容如下：

// chrome\app\main_dll_loader.cc

int MainDllLoader::Launch(HINSTANCE instance,
 base::TimeTicks exe_entry_point_ticks) {
 const base::CommandLine& cmd_line = *base::CommandLine::ForCurrentProcess();
 process_type_ = cmd_line.GetSwitchValueASCII(switches::kProcessType);

 ......

 dll_ = Load(&file);
 if (!dll_)
 return chrome::RESULT_CODE_MISSING_DATA;

 OnBeforeLaunch(cmd_line, process_type_, file);
 DLL_MAIN chrome_main =
 reinterpret_cast<DLL_MAIN>(::GetProcAddress(dll_, "ChromeMain"));
 int rc = chrome_main(instance, &sandbox_info,
 exe_entry_point_ticks.ToInternalValue());
 OnBeforeExit(file);
 return rc;
}

這里完成了 chrome.dll 的載入，並且執行里面的 ChromeMain 函數。

3、ChromeMain() 函數

ChromeMain 函數負責 Embedder 層的實現類創建，並傳遞給 Content 層，定義在 chrome\app\chrome_main.cc 中，內容如下：

// chrome\app\chrome_main.cc

extern "C" {
DLLEXPORT int __cdecl ChromeMain(HINSTANCE instance,
 sandbox::SandboxInterfaceInfo* sandbox_info,
 int64_t exe_entry_point_ticks);
}

......

#if defined(OS_WIN)
DLLEXPORT int __cdecl ChromeMain(HINSTANCE instance,
 sandbox::SandboxInterfaceInfo* sandbox_info,
 int64_t exe_entry_point_ticks) {
#elif defined(OS_POSIX)
int ChromeMain(int argc, const char** argv) {
 int64_t exe_entry_point_ticks = 0;
#endif

#if defined(OS_WIN)
 install_static::InitializeFromPrimaryModule();
#endif

 ChromeMainDelegate chrome_main_delegate(
 base::TimeTicks::FromInternalValue(exe_entry_point_ticks));
 content::ContentMainParams params(&chrome_main_delegate);

 ......

 int rv = content::ContentMain(params);

 return rv;
}

在ChromeMain中，最終執行到了 content::ContentMain 這個函數。

4、content::ContentMain() 函數

代碼執行到這里，進入了 Content 層，並且傳入參數 content::ContentMainParams 類型的參數 params，它是由 Embedder 層傳遞過來的重要參數，里面包含了 Embedder 層的具體實現信息，此結構體在 content\public\app\content_main.h 中定義如下：

// content\public\app\content_main.h

struct ContentMainParams {
 explicit ContentMainParams(ContentMainDelegate* delegate)
 : delegate(delegate) {}

 ContentMainDelegate* delegate;

 ......

其中有一個重要的成員變量 delegate，其類型為 content::ContentMainDelegate，它在 content\public\app\content_main_delegate.cc 中定義如下：

// content\public\app\content_main_delegate.cc

class CONTENT_EXPORT ContentMainDelegate {
 public:
 virtual ~ContentMainDelegate() {}

 virtual bool BasicStartupComplete(int* exit_code);
 virtual void PreSandboxStartup() {}
 virtual void SandboxInitialized(const std::string& process_type) {}
 virtual int RunProcess(
 const std::string& process_type,
 const MainFunctionParams& main_function_params);
 virtual void ProcessExiting(const std::string& process_type) {}

 ......

 virtual void PreCreateMainMessageLoop() {}

 ......

 protected:
 friend class ContentClientInitializer;

 virtual ContentBrowserClient* CreateContentBrowserClient();
 virtual ContentGpuClient* CreateContentGpuClient();
 virtual ContentRendererClient* CreateContentRendererClient();
 virtual ContentUtilityClient* CreateContentUtilityClient();
};

可以看到，這里定義了一系列與啟動相關的操作，並且通過幾個 CreateXXX 的函數，獲取 ContentBrowserClient、ContentRendererClient 等接口具體的實現，這也是 content API 的巧妙設計，通過這種方式，將瀏覽器的實現放入了 content 中。

繼續往下看，content::ContentMain() 中調用了 content\app\content_main.cc 中的 service_manager::Main()：

// content\app\content_main.cc

int ContentMain(const ContentMainParams& params) {
 ContentServiceManagerMainDelegate delegate(params);
 service_manager::MainParams main_params(&delegate);
#if !defined(OS_WIN) && !defined(OS_ANDROID)
 main_params.argc = params.argc;
 main_params.argv = params.argv;
#endif
 return service_manager::Main(main_params);
}

在這里，使用一個 content::ContentServiceManagerMainDelegate 對象來構建了 main_params，並傳入了 service_manager::Main()。

5、service_manager::Main 函數

service_manager::Main 函數位於 services\service_manager\embedder\main.cc，接收一個 MainParams 類型的參數，具體如下：

// services\service_manager\embedder\main.cc

int Main(const MainParams& params) {
 MainDelegate* delegate = params.delegate;

 ......

 ProcessType process_type = delegate->OverrideProcessType();

 ......
 // A flag to indicate whether Main() has been called before. On Android, we
 // may re-run Main() without restarting the browser process. This flag
 // prevents initializing things more than once.
 static bool is_initialized = false;
#if !defined(OS_ANDROID)
 DCHECK(!is_initialized);
#endif
 if (!is_initialized) {
 is_initialized = true;

 ......

#if defined(OS_WIN)
 base::win::RegisterInvalidParamHandler();
 ui::win::CreateATLModuleIfNeeded();
#endif // defined(OS_WIN)

 ......

 base::CommandLine::Init(argc, argv);

 ......

 const auto& command_line = *base::CommandLine::ForCurrentProcess();

#if defined(OS_WIN)
 base::win::SetupCRT(command_line);
#endif

 MainDelegate::InitializeParams init_params;

 ......
 mojo::core::Init(mojo_config);

 ......

 exit_code = delegate->Initialize(init_params);

 ......

 }

 const auto& command_line = *base::CommandLine::ForCurrentProcess();
 if (process_type == ProcessType::kDefault) {
 std::string type_switch =
 command_line.GetSwitchValueASCII(switches::kProcessType);
 if (type_switch == switches::kProcessTypeServiceManager) {
 process_type = ProcessType::kServiceManager;
 } else if (type_switch == switches::kProcessTypeService) {
 process_type = ProcessType::kService;
 } else {
 process_type = ProcessType::kEmbedder;
 }
 }
 switch (process_type) {
 case ProcessType::kDefault:
 NOTREACHED();
 break;

 case ProcessType::kServiceManager:
 exit_code = RunServiceManager(delegate);
 break;

 case ProcessType::kService:
 CommonSubprocessInit();
 exit_code = RunService(delegate);
 break;

 case ProcessType::kEmbedder:
 if (delegate->IsEmbedderSubprocess())
 CommonSubprocessInit();
 exit_code = delegate->RunEmbedderProcess();
 break;
 }

 ......

 if (process_type == ProcessType::kEmbedder)
 delegate->ShutDownEmbedderProcess();

 return exit_code;
}

這里截取的代碼比較長，也非常重要，我們主要關注這四個部分：

• 根據傳入的 delegate 和 command_line 決定進程的類型
• 運行環境的初始化，比如 CreateATLModuleIfNeeded，SetupCRT 並用 is_initialized 來防止重復執行
• 通過傳入的 delegate 進行程序的初始化操作，delegate->Initialize(init_params)
• 根據進程類型啟動相應的工作

這里的 delegate 類型為 service_manager::MainDelegate*，是在 services/service_manager/embedder/main_delegate.h 中定義的抽象類，在這里我們主要關注它的 Initialize、RunEmbedderProcess 和 ShutDownEmbedderProcess，其中 Initialize 為被聲明為純虛函數，RunEmbedderProcess 和 ShutDownEmbedderProcess 又是什么都不做的，代碼如下：

// services/service_manager/embedder/main_delegate.h

class COMPONENT_EXPORT(SERVICE_MANAGER_EMBEDDER) MainDelegate {
 public:
 // Perform early process initialization. Returns -1 if successful, or the exit
 // code with which the process should be terminated due to initialization
 // failure.
 virtual int Initialize(const InitializeParams& params) = 0;

 ......

 // Runs the embedder's own main process logic. Called exactly once after a
 // successful call to Initialize(), and only if the Service Manager core does
 // not know what to do otherwise -- i.e., if it is not starting a new Service
 // Manager instance or launching an embedded service.
 //
 // Returns the exit code to use when terminating the process after
 // RunEmbedderProcess() (and then ShutDown()) completes.
 virtual int RunEmbedderProcess();

 ......

 // Called just before process exit if RunEmbedderProcess() was called.
 virtual void ShutDownEmbedderProcess();

// services/service_manager/embedder/main_delegate.cc

int MainDelegate::RunEmbedderProcess() {
 return 0;
}

...

void MainDelegate::ShutDownEmbedderProcess() {}

回到 service_manager::Main()，我們看到第一句 MainDelegate* delegate = params.delegate; 中的 params.delegate 就是前面在 content::ContentMain 中構建 main_params 所使用的 content::ContentServiceManagerMainDelegate 對象，因此，上述的三個函數 Initialize、RunEmbedderProcess、ShutDownEmbedderProcess 是由 ContentServiceManagerMainDelegate 來最終實現的，來看代碼：

// content\app\content_service_manager_main_delegate.cc

int ContentServiceManagerMainDelegate::Initialize(
 const InitializeParams& params) {

 ......

 return content_main_runner_->Initialize(content_main_params_);
}

......

int ContentServiceManagerMainDelegate::RunEmbedderProcess() {
 return content_main_runner_->Run(start_service_manager_only_);
}

......

void ContentServiceManagerMainDelegate::ShutDownEmbedderProcess() {
#if !defined(OS_ANDROID)
 content_main_runner_->Shutdown();
#endif
}

在這三個函數的定義中，都使用了 content_main_runner_ 這個成員變量來具體執行，它的定義為 std::unique_ptr<ContentMainRunnerImpl>。

6、整個程序的Runner，content::ContentMainRunnerImpl

這個 content::ContentMainRunnerImpl 是 content::ContentMainRunner 接口的一個實現，先來看接口的聲明：

// content\app\content_main_runner_impl.h

class CONTENT_EXPORT ContentMainRunner {
 public:
 virtual ~ContentMainRunner() {}

 // Create a new ContentMainRunner object.
 static ContentMainRunner* Create();

 // Initialize all necessary content state.
 virtual int Initialize(const ContentMainParams& params) = 0;

 // Perform the default run logic.
 virtual int Run(bool start_service_manager_only) = 0;

 // Shut down the content state.
 virtual void Shutdown() = 0;
};

再來看實現類的代碼：

// content\app\content_main_runner_impl.h

class ContentMainRunnerImpl : public ContentMainRunner {
 public:
 static ContentMainRunnerImpl* Create();

 ContentMainRunnerImpl();
 ~ContentMainRunnerImpl() override;

 int TerminateForFatalInitializationError();

 // ContentMainRunner:
 int Initialize(const ContentMainParams& params) override;
 int Run(bool start_service_manager_only) override;
 void Shutdown() override;

 ......

}

7、ContentMainRunner::Initialize() 函數

先來看 Initialize 函數：

// content\app\content_main_runner_impl.cc

int ContentMainRunnerImpl::Initialize(const ContentMainParams& params) {
 ui_task_ = params.ui_task;
 created_main_parts_closure_ = params.created_main_parts_closure;

#if defined(OS_WIN)
 sandbox_info_ = *params.sandbox_info;
#else // !OS_WIN

 ......

 is_initialized_ = true;
 delegate_ = params.delegate;

 ......

 int exit_code = 0;
 if (delegate_->BasicStartupComplete(&exit_code))
 return exit_code;
 completed_basic_startup_ = true;

 ......

 delegate_->PreSandboxStartup();
#if defined(OS_WIN)
 if (!InitializeSandbox(
 service_manager::SandboxTypeFromCommandLine(command_line),
 params.sandbox_info))
 return TerminateForFatalInitializationError();
#elif defined(OS_MACOSX)

 ......

#endif

 delegate_->SandboxInitialized(process_type);

 ......

 // Return -1 to indicate no early termination.
 return -1;
}

大致看一下，在這個 Initialize 中，主要是根據 command_line 啟動了相應的 sandbox service，並在啟動前后都觸發了 delegate_->PreSandboxStartup() 和 delegate_->SandboxInitialized(process_type)，這個 delegate_ 來自於傳入的 content::ContentMainParams 結構體，這個結構體是在 chrome_main.cc 中調用 content::ContentMain(params) 時所創建，所以這個 delegate_ 正是前面所提到的巧妙設計中，繼承自 content::ContentMainDelegate 的 ChromeMainDelegate 對象，通過這一系列的調用，content 層就把創建 sandbox service 前后的事件觸發了出來，具體實現者只要在 ChromeMainDelegate 中填充這兩個時間點要做的事即可。

8、進程入口，ContentMainRunner::Run() 函數

再來看 Run 函數：

// // content\app\content_main_runner_impl.cc

int ContentMainRunnerImpl::Run(bool start_service_manager_only) {

 ......

 const base::CommandLine& command_line =
 *base::CommandLine::ForCurrentProcess();
 std::string process_type =
 command_line.GetSwitchValueASCII(switches::kProcessType);

 ......

 MainFunctionParams main_params(command_line);
 main_params.ui_task = ui_task_;
 main_params.created_main_parts_closure = created_main_parts_closure_;

 ......

 if (process_type.empty())
 return RunServiceManager(main_params, start_service_manager_only);

 return RunOtherNamedProcessTypeMain(process_type, main_params, delegate_);
}

此處先判斷 process_type 是否為空，為空則代表當前執行的是默認進程（一般情況下為 Browser 進程），則調用 RunServiceManager()，否則調用 RunOtherNamedProcessTypeMain 根據process_type 來執行相應的進程。先來看 RunServiceManager：

// content\app\content_main_runner_impl.cc

int ContentMainRunnerImpl::RunServiceManager(MainFunctionParams& main_params,
 bool start_service_manager_only) {

 ......

 if (!service_manager_context_) {

 ......

 delegate_->PreCreateMainMessageLoop();

 ......
 
 delegate_->PostEarlyInitialization(main_params.ui_task != nullptr);

 ......
 
 }

 if (should_start_service_manager_only)
 return -1;

 is_browser_main_loop_started_ = true;
 startup_data_ = std::make_unique<StartupDataImpl>();
 startup_data_->thread = std::move(service_manager_thread_);
 startup_data_->service_manager_context = service_manager_context_.get();
 main_params.startup_data = startup_data_.get();
 return RunBrowserProcessMain(main_params, delegate_);
}

同樣，這里通過 delegate_ 做了一些操作之后，最后調用了 RunBrowserProcessMain() 函數，內容如下：

// content\app\content_main_runner_impl.cc

int RunBrowserProcessMain(const MainFunctionParams& main_function_params,
 ContentMainDelegate* delegate) {
 int exit_code = delegate->RunProcess("", main_function_params);
#if defined(OS_ANDROID)
 // In Android's browser process, the negative exit code doesn't mean the
 // default behavior should be used as the UI message loop is managed by
 // the Java and the browser process's default behavior is always
 // overridden.
 return exit_code;
#else
 if (exit_code >= 0)
 return exit_code;
 return BrowserMain(main_function_params);
#endif
}

非常簡單明了，首先通過 delegate->RunProcess 把執行默認進程的優先權交由 Embedder 層，如果 Embedder 層成功執行了進程並最終返回了成功標志（exit_code >= 0），那么就退出函數；如果 Embedder 層對默認進程沒有定義，就繼續執行 content::BrowserMain，由此，Browser 進程開始執行。

再來看 RunOtherNamedProcessTypeMain 函數：

// content\app\content_main_runner_impl.cc

int RunOtherNamedProcessTypeMain(const std::string& process_type,
 const MainFunctionParams& main_function_params,
 ContentMainDelegate* delegate) {
 static const MainFunction kMainFunctions[] = {

 ......
 
 {switches::kUtilityProcess, UtilityMain},
 {switches::kRendererProcess, RendererMain},
 {switches::kGpuProcess, GpuMain},
 };

 for (size_t i = 0; i < base::size(kMainFunctions); ++i) {
 if (process_type == kMainFunctions[i].name) {
 int exit_code = delegate->RunProcess(process_type, main_function_params);
 if (exit_code >= 0)
 return exit_code;
 return kMainFunctions[i].function(main_function_params);
 }
 }

 ......

 // If it's a process we don't know about, the embedder should know.
 return delegate->RunProcess(process_type, main_function_params);
}

先建立了一個進程類型和入口函數指針的對應數組，再根據進程類型去具體執行，執行的過程與 Browser 進程一樣，先通過 delegate->RunProcess 交由 Embedder 層處理，如果未處理再調用默認的進程入口函數，可以看到分別提供了 UtilityMain、RendererMain、GpuMain 這三個進程的入口，其中 RendererMain 則是我們關注的 Renderer 進程的入口函數，Renderer 進程從此處開始執行。最后一句，如果進程類型不在以上范圍內，則交由 Embedder 去處理。

9、程序結束

void ContentMainRunnerImpl::Shutdown() {
 DCHECK(is_initialized_);
 DCHECK(!is_shutdown_);

 if (completed_basic_startup_) {
 const base::CommandLine& command_line =
 *base::CommandLine::ForCurrentProcess();
 std::string process_type =
 command_line.GetSwitchValueASCII(switches::kProcessType);

 delegate_->ProcessExiting(process_type);
 }

#if !defined(CHROME_MULTIPLE_DLL_CHILD)
 // The BrowserTaskExecutor needs to be destroyed before |exit_manager_|.
 BrowserTaskExecutor::Shutdown();
#endif // !defined(CHROME_MULTIPLE_DLL_CHILD)

#if defined(OS_WIN)
#ifdef _CRTDBG_MAP_ALLOC
 _CrtDumpMemoryLeaks();
#endif // _CRTDBG_MAP_ALLOC
#endif // OS_WIN

 exit_manager_.reset(nullptr);

 delegate_ = nullptr;
 is_shutdown_ = true;
}

首先通過 delegate_->ProcessExiting(process_type) 通知 Embedder 層處理，然后做了一些善后釋放的工作，最后將 is_shutdown_ 標記置為 true。

10、總結

前面分析了這么多，其實結合類圖來看一下還是很簡單明了的，主要起到作用的就是圖中標紅的三個，service_manager::Main 通過 content::ContentServiceManagerMainDelegate 的實例調用了 content::ContentMainRunnerImpl 實例中的 Initialize()、Run()、Shutdown() 函數，而在這個Runner中，又通過 content::ContentMainDelegate 接口指針調用到了由 Embedder 層創建的 ChromeMainDelegate 實例中的函數，由此完成了程序的啟動以及 Content 層對 Embedder 的交互。